Researchers at Varonis Threat Labs have disclosed a proof-of-concept attack technique that enables the silent exfiltration of outgoing emails from Microsoft 365 accounts using legitimate Outlook add-ins. Named Exfil Out&Look, the method exploits Outlook Web Access (OWA) to intercept and transmit email content without generating forensic traces in audit logs. The technique involves creating a custom Outlook add-in with standard web technologies, including a manifest file that specifies minimal permissions such as ReadWriteItem.[1]
This permission allows access to the active email's subject, body, recipients, timestamp, and attachment details. The add-in activates on the OnMessageSend event, triggered automatically when a user sends an email. JavaScript code then extracts the content and forwards it asynchronously to an external server controlled by the attacker, using methods like fetch(). Installation can occur at the user level via OWA's custom add-ins section, where individuals upload the manifest file. For broader impact, users with administrative privileges such as Global or Exchange admins can deploy the add-in organization-wide through the Microsoft 365 Admin Center. In such cases, it applies to all mailboxes, often set as "fixed" and non-removable by end-users, enabling exfiltration from every user's sent emails.
A key concern is the absence of logging: unlike Outlook Desktop, which records add-in installations locally, OWA produces no entries in the Unified Audit Log for installations, executions, or data access by add-ins, even in environments with advanced auditing enabled. Initial admin deployments may create limited Azure AD or Exchange logs, but ongoing exfiltration remains invisible.
Varonis reported the issue to Microsoft via the Security Response Center on 30 September 2025. Microsoft reviewed the submission and classified it as a low-severity product bug or suggestion, with no immediate patch planned. The company permitted public disclosure to raise awareness in the security community. The research article was last updated on 28 January 2026, confirming the vulnerability persists without remediation.
The technique does not affect the Outlook Desktop client, where some local logging provides visibility into add-in activity. Varonis recommends several defensive measures. Organizations should restrict custom add-in installations through Microsoft 365 policies, regularly audit deployed add-ins and app registrations, and monitor network traffic for suspicious outbound connections from Outlook sessions.
The researchers also urge Microsoft to implement comprehensive audit logging for add-in events in OWA, add behavioral monitoring for sensitive actions, and introduce risk-based classifications for add-ins. This disclosure highlights ongoing challenges in monitoring trusted features within cloud productivity platforms.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/stealthy-email-exfiltration-via-outlook-add-ins-in-ms365-9081.html
Comments