Outlook: Auto-Export mailbox to PST file in new Outlook for Windows

🚨 The Signal: New Outlook for Windows allows users to auto-export mailboxes to PST files. This increases data exfiltration risk and complicates data governance, potentially bypassing retention policies and eDiscovery holds.

The Impact

All users are affected, increasing the risk of sensitive data exfiltration and non-compliance with data retention policies.

• End Users: Can easily create unmanaged local copies of sensitive data.
• Security Team: Increased risk of data loss and exfiltration outside M365 controls.
• Compliance Team: Potential for non-compliance with data retention and eDiscovery obligations.
• Admins: New challenge in enforcing data governance and preventing data sprawl.

The Action

1. Review existing Exchange Online Mailbox Export policies and consider new transport rules.
2. Communicate data handling policies to users regarding local PST file creation.
3. Implement or reinforce endpoint data loss prevention (DLP) policies to restrict PST file creation or movement.
4. Monitor audit logs for PST export activities, if available, in new Outlook for Windows.

Domain: Exchange · Impact: high · Workload: Exchange Online