Outlook: Drag and drop files between accounts as attachments

🚨 The Signal: New Outlook for Windows now allows drag-and-drop of files and emails between different accounts as attachments. This increases the risk of accidental or malicious data exfiltration across security boundaries.

The Impact

All users are affected, increasing the risk of inadvertent or intentional data loss and exfiltration.

• End users: Increased risk of accidentally sharing sensitive data to personal accounts.
• Security teams: New challenge in monitoring and preventing cross-account data movement.
• Compliance officers: Greater difficulty in demonstrating adherence to data protection policies.
• Admins: Potential for increased support requests related to data handling and policy enforcement.

The Action

1. Review and update existing Data Loss Prevention (DLP) policies in Microsoft Purview to specifically address cross-account data transfers in Outlook.
2. Implement or refine Conditional Access policies to restrict access to corporate data from unmanaged devices or non-compliant applications.
3. Educate users on the risks of transferring sensitive information between corporate and personal accounts.
4. Monitor Microsoft Purview audit logs for unusual data transfer activities involving Outlook and multiple accounts.

Domain: M365-Apps · Impact: high · Workload: M365 Apps