Microsoft 365 Outlook Add-ins Being Weaponized

-

 


What’s Happening

Multiple independent cybersecurity research labs (Varonis, KPMG, others) and news outlets confirm that Microsoft 365 Outlook add-ins are actively being weaponized to perform stealthy data exfiltration, persistence, phishing, and command‑and‑control (C2)—often without leaving forensic traces.

Below is the detailed, source‑grounded breakdown.

1. Zero‑Trace Email Exfiltration via Malicious

Outlook Add-ins (Exfil Out&Look)

Most significant attack technique identified.

Varonis Threat Labs discovered a method—“Exfil Out&Look”—that abuses the Outlook add-in framework to silently exfiltrate sensitive email data. Key points:

Silent deployment & execution

  • Add-ins are just web apps defined by XML manifests (HTML/JS/CSS) with permissions.
  • Attackers can deploy them:
    • Per-user via Outlook Web Access (OWA)
    • Tenant‑wide via admin permissions

Massive blind spot for defenders

  • OWA-installed add-ins generate no Unified Audit Log entries (even in E5 tenants).
  • No logs show installation, execution, or email content access.

Stealth data theft

  • Add-in hooks into OnMessageSend / ItemSend → reads subject, body, recipients, timestamp.
  • JavaScript payload silently forwards contents to an attacker server via fetch().
  • Requires only standard:
    • ReadItem
    • ReadWriteItem
      permissions — no user consent prompts.

Tenant‑wide compromise possible

  • A malicious admin or compromised admin account can deploy the add-in to every mailbox, unremovable by users.

2. Malware Using Outlook Add-ins for

 Persistence & C2 (GONEPOSTAL)

Another active threat uses Outlook’s COM add-ins infrastructure to establish persistent command‑and‑control channels.

Key behaviors

  • Delivered via spear-phishing with a weaponized Office document (macro‑based dropper).
  • Drops modules that interface with Outlook COM APIs to send/receive encrypted C2 mail.
  • Loads as an Outlook add-in DLL, masquerading as “OfficeUpdate”.
  • Ensures automatic loading at every Outlook startup.

Impact

  • Hidden outbound email spikes
  • Credential theft
  • Unauthorized file transfer
  • Internal lateral movement via address book enumeration

3. Fake Office Add-ins Distribution Campaigns

Attackers have also distributed fake Microsoft Office add-on toolkits containing:

  • Malware droppers
  • Cryptocurrency miners
  • Clipboard crypto-jackers

Though not specifically Outlook add-ins, the pattern reinforces that the Office add-in ecosystem is a high‑value attack vector.

4. Advanced Red‑Team Tooling Weaponized

 (Mortar Loader)

Security researchers identified Mortar Loader, a red‑team tool now being repurposed to weaponize:

  • DLL sideloading
  • Malicious Office add-ins
  • OneDrive‑based persistence

This shows attackers increasingly adopting add-in–based stealth loaders.

Why Outlook Add-ins Are So Attractive to

Attackers

1. High trust environment
Add-ins run inside Outlook, a highly trusted application.

2. Flexible permissions model
Attackers exploit minimal permissions such as ReadItem.

3. Weak telemetry in OWA
The biggest blind spot: no audit logs for add-in installation/execution in OWA.

4. Simple deployment
Installable by end users, or silently tenant‑wide by compromised admins.

5. Blends in with enterprise workflows
Threat actions appear as normal Outlook behavior.

What This Means for Security Teams

Based on all sources, the key takeaways:

A major architectural visibility gap exists in Microsoft 365

Exfiltration or add-in activation cannot be detected natively when installed via OWA.

Tenant-level compromise is trivial if an admin is compromised

One malicious deployment → entire organization affected.

Attackers are increasingly pivoting to “living-in-the-app” techniques

Outlook add-ins are becoming a favored channel for:

  • Stealth exfiltration
  • Persistence
  • Phishing
  • Covert C2


Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more