Outlook: Export mailbox to PST file in new Outlook for Windows

🚨 The Signal: New Outlook for Windows now supports exporting mailboxes to PST files. This reintroduces a data exfiltration vector, increasing risk of sensitive information leaving organisational control.

The Impact

All users can now export mailbox data, increasing the risk of uncontrolled data movement and potential data loss.

• End Users: Can export sensitive data, increasing exfiltration risk.
• Security Teams: Must monitor for unauthorised data exports.
• Compliance Teams: Data retention and eDiscovery become more complex.
• Admins: Need to implement or review data loss prevention policies.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to restrict PST exports from Outlook.
2. Configure Exchange Online Mailbox Export roles to limit who can export mailboxes.
3. Implement or review Conditional Access policies to restrict access to Outlook for unmanaged devices.
4. Educate users on data handling policies and the risks of exporting sensitive information.

Domain: Purview · Impact: high · Workload: Exchange Online