Microsoft 365 Outlook Add-ins Weaponized to Stealthily Exfiltrate Sensitive Email Data

Varonis Threat Labs has uncovered a stealthy attack technique, dubbed “Exfil Out&Look,” that abuses Microsoft 365 Outlook add-ins to exfiltrate sensitive email data without leaving forensic traces in standard audit logs.

The research highlights a critical blind spot in Microsoft 365 monitoring, especially for organizations that rely heavily on Unified Audit Logs for detection and incident response.

Outlook add-ins are web-based extensions (HTML, CSS, JavaScript) defined by an XML manifest that specifies their permissions and integration points. They can display custom UI elements, react to user actions like sending an email, and call external APIs such as Microsoft Graph.

Add-ins can be deployed per user via Outlook Web Access (OWA) or desktop, or tenant-wide by global and Exchange administrators.

Varonis found a sharp visibility gap between Outlook Desktop and OWA. When an add-in is installed through Outlook Desktop, Windows Event Viewer records an Application log entry (Event ID 45), giving defenders at least some local telemetry.

However, the same add-in installed via OWA generates no corresponding entry in Microsoft 365’s Unified Audit Log, even in fully licensed and audited E5 environments.

That means security teams get no native signal that an add-in was installed or executed in OWA, nor that it accessed or transmitted email content.

The core of Exfil Out&Look is a minimally permissioned add-in that hooks into the OnMessageSend (ItemSend) event.

Using only access to the currently active item, the add-in can read the subject, body, recipients, and timestamp of outgoing emails.

A JavaScript payload, hosted on a remote server, then silently forwards this data to an attacker-controlled endpoint using a simple asynchronous fetch() call.

This behavior is allowed under standard Read/ReadWriteItem-level permissions and does not trigger explicit user consent or dedicated audit events.

Varonis demonstrated both per-user and organization-wide deployment scenarios. A user can upload a custom manifest via OWA under “My Add-ins > Custom Add-ins,” after which the malicious add-in activates automatically on every send action.

At the tenant level, a global or Exchange admin can deploy the add-in from the Microsoft 365 Admin Center (Settings > Integrated Apps > Add-ins) and fix it for “Everyone,” ensuring it runs for every mailbox and cannot be removed by end users.

While initial deployment actions (such as service principal creation and app registration) are logged, ongoing exfiltration activity remains invisible.

Audit log analysis confirmed that only generic mailbox operations, such as “Created mailbox item” or “Accessed mailbox items” appear, with no indication that an add-in intercepted content or sent it externally.

This makes malicious or overly permissive add-ins an ideal tool for insider threats, compromised accounts, abused privileged roles, or even supply chain attacks via trojanized store add-ins.

Varonis recommends tighter governance over add-in installation, restricting custom manifest uploads, regularly reviewing admin-deployed add-ins and related service principals, and monitoring outbound traffic for suspicious connections from Outlook clients.

The researchers also urge Microsoft to introduce comprehensive audit logging for add-in installation and sensitive add-in actions, along with risk-based classification and stronger consent controls, to close this zero-trace exfiltration gap.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Microsoft 365 Outlook Add-ins Weaponized to Stealthily Exfiltrate Sensitive Email Data appeared first on Cyber Security News.