Full Report
Microsoft says Outlook for Web and the new Outlook for Windows will no longer display risky inline SVG images that are being used in attacks. [...]
Analysis Summary
# Vulnerability: Microsoft Outlook Stops Displaying Inline SVG Images
## CVE Details
- CVE ID: N/A (This is a mitigation/feature change, not a specific CVE release concerning the flaw itself)
- CVSS Score: N/A
- CWE: N/A (Related to potential XSS/Phishing vectors)
## Affected Systems
- Products: Microsoft Outlook for Web, New Outlook for Windows
- Versions: Specific versions are not detailed, but the change is being rolled out globally starting early September 2025.
- Configurations: Inline SVG images embedded within emails. (SVG files as traditional attachments remain supported.)
## Vulnerability Description
Malicious actors have extensively used inline Scalable Vector Graphics (SVG) images within emails to bypass security controls, deploy malware, and execute phishing forms (e.g., using PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA). This technique can potentially lead to Cross-Site Scripting (XSS) attacks. Microsoft is mitigating this risk by modifying Outlook for Web and the New Outlook for Windows to stop rendering these inline SVG images.
## Exploitation
- Status: Exploited in the wild (Historically used in phishing/malware campaigns, as reported by security firms).
- Complexity: Varies, but the attack vector relies on file embedding that bypasses simple filters.
- Attack Vector: Network (via email)
## Impact
- Confidentiality: Potential impact via XSS leading to credential theft during phishing campaigns.
- Integrity: Potential impact via execution of malicious code or display of deceptive content.
- Availability: Minimal impact expected from the change itself, though disruption of legitimate business communication using SVG imagery (less than 0.1% of images) may occur.
## Remediation
### Patches
This is a defensive feature rollout, not a traditional patch for a single CVE.
- Rollout began worldwide in early September 2025 and is expected to complete by mid-October 2025.
### Workarounds
- Users will see blank spaces where these inline SVG images would have appeared.
- SVG images sent as standard attachments will continue to function and can be viewed from the attachment well.
## Detection
- Indicators of compromise: Display of blank spaces in emails where images are expected, indicating the mitigation has taken effect.
- Detection methods and tools: This change is a vendor-side reduction of the attack surface rather than a detection signature deployment.
## References
- Vendor advisories: Microsoft 365 Message Center update (as described in the article)
- Relevant links - defanged: hxxps://admin.microsoft.com/#/MessageCenter/:/messages/MC1130385
- Relevant links - defanged: hxxps://www.bleepingcomputer.com/news/security/microsoft-outlook-stops-displaying-inline-svg-images-used-in-attacks/