A new report from Varonis Threat Labs describes a gaping blind spot in Microsoft 365’s logging that allows attackers to exfiltrate sensitive emails via Outlook Web Access (OWA) without leaving audit logs. Dubbed “Exfil Out&Look,” the technique uses legitimate Outlook add-ins to silently forward copies of emails to an external server, exploiting a discrepancy between Outlook’s desktop and web versions where OWA does not generate audit entries for add-in installation or execution, according to Varonis Threat Labs.
The report outlines several attack scenarios, including a malicious insider, a compromised account accessed via phishing, privileged abuse by a rogue administrator, and supply chain deception through seemingly legitimate third‑party add-ins. Microsoft reportedly categorised Exfil Out&Look as a low-severity product bug or suggestion with no immediate fix or patch planned, as disclosed by the vendor in September 2025.
With logging gaps in place, security teams are left to devise workarounds while the technique remains open for business, the report notes. The article was published on 2 February 2026.