Silent Data Theft Discovered: Outlook Add-Ins Can Exfiltrate Emails Without Leaving Audit Logs, Researchers Warn

CyberDefender 8 mins0

Researchers have uncovered a concerning method attackers could use to steal sensitive email data from Microsoft 365 environments—by abusing Outlook add-ins to exfiltrate email content without leaving any trace in standard audit logs. This technique has been dubbed Exfil Out&Look and represents a serious blind spot in Microsoft’s current logging and monitoring infrastructure.

What Are Outlook Add-ins — and Why They Matter

Outlook add-ins are small apps built with web technologies (HTML, CSS, and JavaScript) that run inside Microsoft Outlook to extend functionality. They can:

  • Add buttons or user interface elements within Outlook (in the ribbon or message surface).
  • Respond to user actions, such as sending an email.
  • Call external services via APIs (e.g., the Microsoft Graph API).

Add-ins are defined by a manifest file (XML) that includes the permissions they request and how they integrate with Outlook. Both users and administrators can install add-ins:

  • Per-user installation: A user adds an add-in through Outlook Web Access (OWA) or desktop clients.
  • Organization-wide installation: Administrators deploy add-ins across all mailboxes in the tenant.

This ease of deployment and integration, while boosting productivity, also expands the attack surface for data abuse.

The Vulnerability: A Logging Blind Spot

The key discovery by Varonis is that Outlook add-ins installed via Outlook Web Access (OWA) do not generate any entries in Microsoft 365’s Unified Audit Log—even when they execute code that accesses or transmits email content.

Why That Matters

For security teams that rely on Unified Audit Logs to monitor internal and external threats, this is a major blind spot. In typical Outlook Desktop usage, installing an add-in does create a log entry (e.g., in Windows Event Viewer), but OWA installations do not produce any audit trail. This means:

  • Add-in installation events are invisible for OWA installs.
  • Add-in behavior (including accessing emails or sending data externally) is unlogged.
  • Security tools using audit logs will not flag suspicious activity from such add-ins.

How the Exfiltration Works (Proof-of-Concept, For Educational purpose)

Researchers built a proof-of-concept Outlook add-in to demonstrate how this can be abused. Here’s how such a malicious add-in would operate:

1. Create the Add-in Project

Using Microsoft’s official Yeoman generator, the attacker creates a minimal Outlook add-in project. The manifest includes:

  • A minimal permission set (e.g., ReadWriteItem) that doesn’t require explicit user consent.
  • A LaunchEvent configured to respond to the OnMessageSend event.

This setup means the add-in automatically activates whenever the user sends an email.

2. Add a JavaScript Payload

The add-in’s core JavaScript code, hosted remotely, executes on each email send. It:

  • Extracts email metadata such as sender, recipients, subject, body text, and timestamp.
  • Issues a background fetch() call to send this data to an external server.
  • Runs silently in the background without interrupting the user or requiring consent.

Because this behavior fits within Outlook’s permitted actions for minimal permissions, it proceeds without any audit log events.

3. Deploy the Add-in

The attacker (or insider threat) can install the malicious add-in in two ways:

  • User-level installation via OWA, which produces no audit log entries at all.
  • Admin-level deployment across the organization, which logs only the initial deployment events but not the ongoing data access/exfiltration.

In either case, the add-in captures an email’s content every time a user sends a message and sends it quietly to a remote server—all without detection by Microsoft 365 audit tools.

Real-World Threat Scenarios

Insider Threat

An employee installs a custom add-in that logs every outgoing email and sends it externally. Because no logs are generated, security teams remain unaware.

Compromised Account

An attacker who gains access to a user’s Microsoft 365 account can install the malicious add-in via OWA. It persists across sessions and silently steals data.

Admin Abuse

A malicious administrator deploys the add-in tenant-wide. All mailboxes now send copies of outgoing email to a third-party endpoint without ongoing audit logs.

Supply Chain Risk

A seemingly legitimate add-in from the Microsoft Store includes hidden behavior that exfiltrates email content to its own servers (e.g., for AI processing). Users install it innocently, while organizations have no visibility into its actions.

Mitigation and Recommendations

Platform-Level Improvements

To address this visibility gap, Researchers suggests Microsoft should:

  1. Ensure audit logging for all add-in installations, including those via OWA.
  2. Log sensitive add-in activity, such as when an add-in reads email content or sends it externally.
  3. Introduce risk classifications for add-ins based on permissions and external communications.

Organizational Controls

Security teams can also reduce risk by:

  • Restricting who can install custom add-ins via policy controls.
  • Regularly reviewing and monitoring organization-wide add-in deployments.
  • Monitoring outbound traffic for unusual connections from Outlook clients.
  • Training users to avoid installing unverified add-ins.

Conclusion

The Exfil Out&Look technique highlights a critical visibility blind spot within Microsoft 365 when it comes to Outlook add-ins—especially those installed through Outlook Web Access. Because these add-ins can intercept and transmit email content without generating any audit logs, attackers or insiders may steal data undetected for long periods.

Closing this gap requires both platform-level logging improvements and organizational best practices to govern add-in installation and behavior.

CyberDefender