Ddos 
A gaping blind spot in Microsoft 365’s logging capabilities allows attackers to steal sensitive emails without leaving a single trace, according to a new report from Varonis Threat Labs. Dubbed “Exfil Out&Look,” the attack method weaponizes legitimate Outlook add-ins to silently exfiltrate data, bypassing the audit logs that security teams rely on to catch intruders.
The vulnerability centers on a discrepancy between Outlook’s desktop and web versions. While desktop installations generate local logs, “Outlook Web Access (OWA) does not generate any audit log entry for add-in installation or execution”. This creates a “severe accountability and monitoring gap” that turns OWA into a ghost ship for data theft.
Add-ins are designed to boost productivity, but in the wrong hands, they become perfect spying tools. Varonis researchers demonstrated that an attacker—or a malicious insider—could install a custom add-in via OWA that automatically forwards copies of every email sent or received to an external server.
Because of the logging failure, “An add-in installed via OWA can be abused to silently extract email data without generating audit logs or leaving any forensic footprint”.
This stands in stark contrast to the expected behavior in Outlook Desktop, where installation events are logged. In the cloud-centric world of OWA, however, the activity remains invisible. “In organizations that rely heavily on Unified Audit Logs for detection and investigation, this blind spot can allow malicious or overly permissive add-ins to operate undetected for extended periods of time”.
The report outlines several scenarios where this flaw could be critical:
- The Malicious Insider: An employee installs a custom add-in to exfiltrate their own communications before quitting. “Since no audit logs are generated for the installation or execution, the activity remains undetected by security teams”.
- The Compromised Account: An external attacker who gains access via phishing can install the add-in to maintain persistent access to the victim’s email stream.
- Privileged Abuse: A rogue administrator could deploy a malicious add-in across the entire organization, intercepting every outgoing email.
- Supply Chain Poisoning: A seemingly legitimate third-party add-in could hide functionality that transmits data for “AI processing,” leaving organizations with no visibility into the exposure.
Perhaps most concerning is the response from the vendor. Varonis disclosed the issue to Microsoft in September 2025. However, after review, “Microsoft categorized Exfil Out&Look as a low-severity product bug or suggestion with no immediate fix or patch planned”.
For now, security teams are left to find their own workarounds for this invisible threat, as the “Exfil Out&Look” technique remains open for business.
Related Posts:
- Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
- AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
