Microsoft Discontinues Embedded SVG Support in Outlook for Enhanced Security

In September 2025, Microsoft began gradually discontinuing support for embedded SVG images in Outlook for the web and the new Outlook client for Windows. The company explained this decision as part of its enhanced security measures and an effort to align Outlook’s functionality with other email services that have long restricted the direct rendering of such files within email bodies.

Henceforth, embedded graphics in emails will appear as blank spaces. According to Microsoft, SVGs account for less than 0.1% of all images in Outlook, meaning the change will have a negligible impact on most users. Attached SVG files, however, will remain available for download and viewing as standard attachments.

The global rollout began in early September and concluded by mid-month. For government cloud environments — GCC, GCC-High, DoD, and Gallatin — the timeline was slightly adjusted: deployment began in late September and is scheduled to finish by mid-October. Initially, Microsoft intended to complete the process by the end of September but later revised its schedule.

The company emphasized that neither users nor administrators need to take any action — the transition is entirely automated and requires no manual configuration. Organizations are merely advised to update internal documentation and inform employees who might rely on embedded SVG files in their communications.

This restriction stems from potential security risks associated with processing SVG graphics, which can, in some cases, contain scriptable elements and be exploited for attacks such as cross-site scripting (XSS). By implementing this change, Microsoft aims to minimize vulnerabilities and strengthen the protection of corporate email systems without disrupting conventional file-sharing workflows.

While no additional compliance requirements or regulatory obligations have been identified, Microsoft recommends that organizations review their internal processes to ensure that the update does not inadvertently affect their operations.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy