Threat Research

Exfil Out&Look for Logs: Weaponizing Outlook Add-ins for Zero-Trace Email Exfiltration

Varonis
Exfil Out&Look for Logs: Weaponizing Outlook Add-ins for Zero-Trace Email Exfiltration

Keypoints

  • Varonis demonstrated “Exfil Out&Look,” a method where Outlook add-ins installed via OWA or deployed tenant-wide can silently exfiltrate outgoing email data without generating audit logs in Microsoft 365.
  • OWA does not create Unified Audit Log entries for add-in installation or execution, while Outlook Desktop logs an Event ID 45 entry, creating a significant visibility gap.
  • Minimally permissioned add-ins (e.g., ReadWriteItem / access to the active item) can access subject, body, recipients, timestamp, and attachment names and transmit them via background fetch() calls without user consent or prompts.
  • Administrators can deploy an add-in organization-wide (fixed deployment) so it cannot be removed by users, enabling tenant-wide, persistent interception of outgoing emails with only initial deployment logs recorded.
  • Legitimate add-ins (e.g., AI translation/summarization) were observed transmitting full email content externally, highlighting supply-chain and third-party risk in addition to malicious actors.
  • Varonis reported the issue to Microsoft (MSRC) on Sept 30, 2025; Microsoft categorized it as a low-severity product bug/suggestion with no immediate fix, so organizational mitigations are recommended.

MITRE Techniques

  • [T0000 ] No explicit MITRE ATT&CK technique mentioned – The article does not reference any MITRE ATT&CK technique by name or ID (‘No MITRE techniques referenced in the article’).

Indicators of Compromise

  • [Log/Event ] Audit and Windows events referenced as context for visibility – Event ID 45 (Windows Event Viewer Application log), “Added Service Principal”, “New-App” (Exchange Admin), and “Added Application” (Azure AD) are noted as recorded only during deployment or Desktop install.
  • [File / Manifest ] Add-in artifacts and deployment files – custom add-in manifest (manifest file / manifest.xml) used to define permissions and LaunchEvent; users can upload a custom manifest via OWA’s My Add-ins > Custom Add-ins.
  • [Script / Remote resource ] Remote payload and exfiltration endpoints – “JavaScript file hosted on a remote server” that performs an asynchronous fetch() to an external server (no specific domain or IP provided in the article).
  • [Mailbox artifacts ] Data types exfiltrated from emails – examples include email subject, email body, sender/recipient addresses, timestamp, and attached file names (as described in the PoC).

Read more: https://www.varonis.com/blog/outlook-add-in-exfiltration