How Outlook add-ins in Microsoft 365 can be exploited to exfiltrate sensitive email data without leaving forensic traces

Varonis Threat Labs reveals how Outlook add-ins in Microsoft 365 can be exploited to exfiltrate sensitive email data without leaving forensic traces. This method, called Exfil Out&Look, is particularly dangerous when add-ins are installed via Outlook Web Access (OWA), as it leaves no audit log entries. The lack of visibility and logging creates a severe accountability gap, allowing malicious or overly permissive add-ins to operate undetected for extended periods. Microsoft categorized this as a low-severity product bug with no immediate fix or patch planned. Organizations should be aware of this attack vector and implement measures to limit its impact, such as enhanced audit logging, stricter consent enforcement, and better governance over add-in deployment and behavior.