Netskope Global Technical Success (GTS)

Microsoft Outlook Native Application - Limitations

Netskope Cloud Version - 125

Objective

Understanding the limitations of Microsoft Outlook native application

Prerequisite

Netskope SWG or NG SWG license is required

Context

This document is intended for customers who wish to apply Netskope Real-time Protection Policies along with Data Loss Prevention (DLP) controls to Microsoft Outlook native application. It provides an overview of the current limitations and considerations specific to using these controls with Microsoft Outlook native application.

Do You Know?

• The Microsoft Outlook native application is available for both desktop platforms -

1. Windows
2. macOS

• Microsoft has 2 versions of Outlook -

1. Microsoft Outlook Classic (Legacy version)
2. Microsoft New Outlook

Outlook Classic is the full-featured, native Windows app with deep offline support, COM add-ins, and PST/POP3 support.

New Outlook is a lightweight, web-based app (via WebView2) with a modern UI, focused on Microsoft 365 and cloud-first features, but with limited offline and extensibility support.

• Microsoft Outlook Classic uses a variety of ports and protocols to operate efficiently. However, for core email functionality, the key protocol is MAPI (Messaging Application Programming Interface).

What is MAPI?
MAPI is a low-level, Microsoft-developed API that enables Outlook to communicate directly with Microsoft Exchange servers. Used for: Email, Calendar, Contacts, Tasks, Notes

• MAPI operates over HTTPS (port 443), allowing secure communication between Microsoft Outlook native application and Microsoft Exchange servers.
• In the current Netskope product design, while the Netskope engines are capable of decrypting HTTPS traffic, they do not support parsing MAPI traffic. As a result, visibility into MAPI-specific data or actions within Outlook remains limited, even after decryption.

Netskope's default behaviour for Microsoft Outlook native application

• By default, Netskope has included Microsoft Outlook native application in the steering exceptions for both Windows and macOS platforms.
• All Microsoft Outlook native application traffic will bypass Netskope and be sent directly to Microsoft Exchange servers.

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Traffic Steering >>> Steering Configuration - - - Select Steering Profile - - - >>> Exceptions

Note - Microsoft Outlook native application transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.

Details

• Based on the above information, it may seem that Netskope cannot apply controls to the traffic generated by the Microsoft Outlook native application. However, this is not entirely accurate from a technical perspective. Let's explore this further.

• Option A - Netskope CASB API

1. Netskope CASB API, also known as Out-of-Band CASB, provides visibility and control over cloud application activities without sitting directly in the data path.
2. With the Netskope CASB API, controls are applied in near real-time (next-to real-time).
3. Workflow

An end user using the Microsoft Outlook native application sends traffic directly to Microsoft’s datacenters. With Netskope CASB API, Netskope integrates with Microsoft Outlook via an API connection. When the user performs an action—such as sending an email or uploading an attachment—a copy of the data is transmitted to Netskope, where security policies and controls are then applied.

Although this process is not fully real-time like with the Netskope Client, it operates in near real-time, providing effective visibility and enforcement.

4. Customers are required to purchase an additional license for the Netskope CASB API.

Note: Web browser-based referrer traffic generated by the Microsoft Outlook native application can be controlled and managed using the Netskope SWG and NGSWG licenses.

Ref. - Prevent Personal Gmail Account Integration in Microsoft Outlook native application

• Option B - Netskope SMTP Proxy

1. The Netskope SMTP Proxy is a component designed to provide visibility and control over outbound email traffic by integrating with email services like Microsoft 365 & Google workspace.
2. Integration between Netskope & Email exchange servers is a one-time activity.
3. Post successful integration, Netskope inspects outbound email messages for data loss prevention (DLP), malware, and compliance violations. This helps organizations enforce policies before messages are delivered to external recipients.
4. No agent installation is required on user devices.
5. Customers are required to purchase an additional license for the Netskope SMTP Proxy.

Author Notes

• New Outlook is WebView2 based
• What is WebView2?

WebView2 is a Microsoft technology that lets developers embed web content (HTML, CSS, JavaScript) inside a native Windows application — kind of like putting a mini browser inside your app.

Note - Netskope may be able to decrypt traffic from the New Outlook application, which would allow us to add Realtime & DLP controls for enhanced security. We are currently testing the behavior of the New Outlook client to evaluate how traffic is handled and whether content inspection is feasible. Once testing is complete and results are validated, this document will be updated with findings and guidance.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.