A significant architectural blind spot in the Microsoft 365 ecosystem that allows threat actors to exfiltrate sensitive email data without leaving forensic traces This article explores exploitation outlook add. . This attack method, known as "Exfil Out&Look," uses the Outlook add-in framework to covertly intercept outgoing communications.

Unlike traditional exploitation methods that rely on software vulnerabilities, this technique abuses legitimate features within Outlook Web Access (OWA) to bypass Unified Audit Logs, effectively rendering the exfiltration invisible to standard security monitoring tools . Technical Analysis of Exfil Out&Look The exploitation of Outlook add-ins, which are programs created with common web technologies like HTML, CSS, and JavaScript, is the fundamental mechanism of the Exfil Out&Look attack.

A manifest file (XML) that specifies permissions and integration points within the Office product is how these add-ins function. Add-ins permissions The OnMessageSend event, a feature intended to enable legitimate applications to process emails prior to their sending, could be used by a malicious actor to create an add-in, as the Varonis research team showed. The add-in can access the subject line, body content, and recipient information of an active email by setting up the manifest file with minimal permissions, namely the ReadWriteItem capability.

Importantly, high-priority consent flows that normally notify users or administrators are not triggered by this level of access.

After the user sends an email, the malicious JavaScript payload runs asynchronously and sends the collected data to an attacker-controlled third-party server using a straightforward fetch() call. Data Extraction (Source: Varonis) Without interfering with the user experience or requiring elevated privileges like Mailbox, this process runs in the background.Read, which would otherwise draw attention. The difference in logging behavior between Outlook Desktop and Outlook Web Access is the most concerning part of this finding.

The Windows Event Viewer creates Event ID 45, a local artifact that forensic teams can examine, when an add-in is installed through the Outlook Desktop client. Nevertheless, Varonis found that OWA installations do not produce matching entries in the Microsoft 365 Unified Audit Log.

Learn more Safe web hosting Endpoint detection response software Exploitation Security awareness training Cloud computing Malware for macOS security software Web application firewall Services for cloud security Network of Zero Trust Obtain solutions This logging gap makes it possible for an attacker to install a persistent data-harvesting add-in, whether they are a malevolent insider or an external threat actor who has compromised an account. The installation and subsequent use of the add-in are not documented, even in environments with Microsoft 365 E5 licenses and full auditing enabled. According to the research, there is no correlation within the Microsoft 365 tenant to show that email content was accessed or exfiltrated, even though the outbound traffic is technically visible at the network boundary.The d.

On September 30, 2025, Varonis reported these results to the Microsoft Security Response Center (MSRC). After reviewing the problem, Microsoft categorized it as a "low-severity product bug or suggestion" and stated that there is currently no planned patch or quick fix. As a result, the "Exfil Out&Look" method is still a good way to steal data.

To reduce this risk, security teams must switch from depending on default logs to proactive governance. By preventing user-initiated installations and controlling allow-lists only via the Microsoft 365 admin center, administrators can enforce stringent policies regarding add-in installations. Additionally, companies should keep an eye out for odd service principal creation or application registrations in Azure Active Directory, since these could be the only signs that a malicious add-in has been deployed throughout the entire organization.

X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.