heise PlusAbo
Anzeige

Microsoft Outlook: No more SVG display for security reasons

The SVG vector graphics format is a gateway for malware. Microsoft is therefore pulling the plug on the format in Outlook – somewhat.

listen Print view
Microsoft Office Home" window. A magnifying glass enlarges the logo for Outlook. Next to it are the logos for OneDrive, Word, Excel and PowerPoint.

(Image: dennizn / Shutterstock)

3 min. read
Security
By

Actually, inconspicuous graphics in SVG (Scalable Vector Graphics) format are used by malicious actors as a gateway for malware. They are delivered to computers as email attachments to phishing emails, for example. Microsoft is closing the potential gap by simply no longer displaying SVG graphics in Outlook and Outlook for Web.

Microsoft has announced this in the MS365 Admin Center. The global roll-out of this change is said to have started at the beginning of September and ended in the middle of the month. For “GCC, GCC-H, DoD, Gallatin,” the roll-out should be completed by mid-October. “Inline SVG images will no longer be displayed by Outlook for Web and the new Outlook for Windows. Instead, users will see a blank space where these images should be displayed,” explains Microsoft.

This only affects less than 0.1 percent of all images used in Outlook, so the impact should be minimal. However, SVG images sent as traditional attachments will continue to be supported and can be displayed as attachments. This change is intended to ward off potential security risks such as cross-site scripting attacks. Admins do not need to do anything, but Microsoft recommends adding this information to the internal documentation and informing users who rely on inline SVG graphics in emails.

Warning about SVG files

In the middle of the year, the Austrian CERT issued a warning about malicious SVG files. SVG files consist of descriptions in XML format but can also contain JavaScript code that the displaying component executes. Phishers can misuse this to direct recipients to fake login pages, directly display false logins, or even install malware.

Videos by heise

Virustotal, which belongs to Google, also recently discovered a Colombian malware campaign based on malicious SVGs. From the beginning of August to the beginning of September, the malware checking service received more than 140,000 unique SVG files, of which 1442 were detected as malicious by at least one antivirus software, i.e., roughly one percent of the files checked. However, the 140,000 images also included malicious SVG files that were not identified by any malware scanner. Using an AI extension "Code Insight," Virustotal fished 44 more malicious SVGs out of the pool. These used code obfuscation techniques, polymorphism so that each file had slight modifications, and large amounts of useless dummy code to make static detection difficult. Upon closer examination, several files turned out to be part of a campaign with emails claiming to be from the Colombian Attorney General. A simple search for text passages from the malicious SVGs returned 523 further hits in the past 365 days.

SVGs therefore represent a real danger in practice. Microsoft is trying to reduce the attack surface by not displaying inline SVG graphics. If necessary, IT managers should go one step further and implement the recommendations for handling SVGs from the Austrian CERT.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten