Outlook: Export mailbox to PST file in new Outlook for Windows

🚨 The Signal: New Outlook for Windows now allows exporting entire mailboxes or specific folders to PST files. This reintroduces a data exfiltration vector, increasing risk of sensitive information leaving controlled environments.

The Impact

All users are affected, increasing the risk of uncontrolled data exfiltration and complicating data governance and eDiscovery efforts.

• End Users: Can export sensitive data outside M365 controls.
• Security Teams: Increased risk of data loss and exfiltration.
• Compliance Teams: Complicates data retention and eDiscovery.
• Admins: Requires new data loss prevention (DLP) policies.

The Action

1. Review and update existing Data Loss Prevention (DLP) policies in Microsoft Purview to specifically restrict or audit PST file creation and export.
2. Implement or strengthen Conditional Access policies to restrict access to New Outlook for Windows based on device compliance or network location, if PST export is deemed high risk.
3. Educate users on appropriate data handling procedures and the risks associated with exporting sensitive information to local files.
4. Monitor audit logs for PST export activities, especially for high-risk users or sensitive data types.
5. Consider disabling PST export functionality via Group Policy or Intune if not required for business operations.

Domain: Purview · Impact: high · Workload: Exchange Online