Microsoft Outlook Native Application - Prevent Personal Gmail Account Integration

Netskope Global Technical Success (GTS)

Microsoft Outlook Native Application - Prevent Personal Gmail Account Integration

Netskope Cloud Version - 125

Objective

Restrict end-users from adding personal Google Gmail accounts to the Microsoft Outlook native application

Prerequisite

Netskope SWG license is required

Context

This document provides step-by-step instructions for disabling the ability of end-users to add personal Google Gmail accounts to their Microsoft Outlook native applications.

Do You Know?

Microsoft Outlook native application uses Certificate pinning.
What is Certificate pinning?

Certificate pinning is a security technique used to enhance the protection of network communications by ensuring that an application only trusts a specific SSL/TLS certificate or a set of certificates.

Because the Microsoft Outlook native application employs certificate pinning, Netskope cannot perform SSL decryption on traffic generated by Microsoft Outlook.
Without SSL decryption, the following controls cannot be applied in realtime:

Netskope Data Loss Prevention (DLP)
Netskope Threat Prevention
Netskope Real-time Policy Controls for Post, Upload, Download and other activities

By default, traffic from the Microsoft Outlook native application is included in the Netskope Client steering exception.

AD_4nXeeOhoNXeGAQvFxxiMG-kE_6OqWx5YK_WTxkZZIJU6ogV7nebq3vXGW7PaM1kxSRdZbzEHbZ7K_0YFFiHnRpr3tLYmgh7zkuKSp8F_y4Elpqpw0lnJcAvchJFKNnN00epPU1fp2YTElOh6z8Pb566sNzpgV?key=gZMaAXZyePX1DfYoSJlI4w

Details

Launch the Microsoft Outlook Native Application, then follow the steps below:

Lab recreate Operating System - macOS

Image 1

AD_4nXeqXGJ1xUVoLOgfPbKdFtk8oqeMXtOnDso3NGZ9oc7X6iG6XKjDJ1Pzyoho6qCgy_Jrn2RnFeAG46hvlUJY-FcEIJ_SPCbqS7FMAEu-Dx0_NyOr03PU6Fd6C-xhn0N_WnoAZwWuBTlMqUIPgGBxhC2z3c8J?key=gZMaAXZyePX1DfYoSJlI4w

Image 2

AD_4nXdjq7-KxaSa3H83mgsynLQ1A_os98psbc7dq1tUy5jYUeht3xclQLWnQWD2yNJ0jcYgvWt6akCq8yTrim5eV969ZX0J7xCD0FJ6ZjO89-NWLrsuw-2AyRY9LKp2EgMNUZtF6bgD_4fVe2DuwB2QhBR5SGzb?key=gZMaAXZyePX1DfYoSJlI4w

Image 3

AD_4nXc7-tZG_3O6kn1NC3dtVO24D68DzuS4xKHAT4_8Gs-6f2S8MtQcXSrNNVWkQSIDHpOfGNc7jvc74CEA5qEYikOYO_CHLcRX5n2f7LirZOSGlLEABGIT6QTf9UC6_jXHpHx8zfvQxEqhC2rksmJC89ssaUc?key=gZMaAXZyePX1DfYoSJlI4w

Above reference image 1, 2, 3 are from Microsoft Outlook Native Application. Post following image 3, Microsoft Outlook native application redirects the traffic to the browser for the below URL

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?scope=profile%20email%20https%3A%2F%2Fmail.google.com%2F%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuser.emails.read%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuser.birthday.read&redirect_uri=https%3A%2F%2Folmoauth.outlook.com%2Fapi%2Fgoogleoauthredir%2Fcom.microsoft.office.outlook%3A%2Fmac%2Fgoogle%2Foauth2redirect&client_id=445112211283-sk04feuogpcjd3dq8eshrdnr4bpm1sfk.apps.googleusercontent.com&login_hint=xxxxxxxxxxxxsingh%40gmail.com&state=264A9C75-3294-4414-A80F-54ACAD2FE471&response_type=code&access_type=offline&prompt=consent&code_challenge=a7Hz1mbdv0IKTCegZsruNH8ALyaHxcmuQ9et0BJwVNY&code_challenge_method=S256&enable_granular_consent=true&service=lso&o2v=2&ddm=0&flowName=GeneralOAuthFlow

Image 4

AD_4nXegQxrXjB53M8msSeUejiC6J7bHcIJiorCOPFIrk7VDjZlSiSSeoFpOlySYiZqwRtwxlB8QacyHNeQ0uL6K4uHzslWOlV-faUBECsWCNcYuS1BBEEqAEkGukUocetY0H75LKQ2RF5kRjvvVfGw4kIqmuqU?key=gZMaAXZyePX1DfYoSJlI4w

‘accounts.google.com’ domain is responsible for Google suite user authentication
Traffic from the Microsoft Outlook Native Application will be bypassed by the Netskope Client, while browser-based traffic will continue to route through the Netskope Client.

Reference - Netskope Client Logs

2024/10/21 19:50:57.958787 stAgentNE p70938 t21799 info bypassAppMgr.cpp:1472 BypassAppMgr bypassing flow to exception host: mobile.events.data.microsoft.com, process: microsoft outlook, Dest IP: 20.189.173.12, Dest Port: 443

2024/10/21 09:05:06.905974 stAgentNE p41745 t10527 info tunnel.cpp:972 nsTunnel TLS 9sessId 501] Tunneling flow from addr: 1.0.0.1:49636, process: google chrome helper to host: accounts.google.com, addr: 74.125.68.84:443 to nsProxy

Configuration

Create a custom URL category

Path: Netskope Tenant UI >>> Policies >>> Profile - - - URL Lists

Path: Netskope Tenant UI >>> Policies >>> Profile - - - Custom Categories

Real-time protection policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Verification

Post following image 3, Microsoft Outlook native application redirects the traffic to the browser and the results will be the below

AD_4nXe22NLdBJ6E3SmQmO2ZwPVk6QbEdFULiEsRPbcHSxF6AHPmZthmgJ00afQ7d3UtZXDz4wleJpxp4Ya5bVA9E8uv2VY1P5Uq_eo3ouwqOoVXUP0lCQSol3viDD0ClVol9IGrxwyS_nVEUoKuZPjJCtDgdfgR?key=gZMaAXZyePX1DfYoSJlI4w

Note - User Notification format used above Link

Terms and Conditions

All documented information undergoes testing and verification to ensure accuracy.
In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

This article is authored by Netskope Global Technical Success (GTS).
For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

What to Read Next?
All about - ‘WhatsApp’	Link
Limitations with Signal Application	Link
Limitations with Telegram (Web Access & Native App)	Link

Be the first to reply!

Netskope Global Technical Success (GTS)

Microsoft Outlook Native Application - Prevent Personal Gmail Account Integration

What to Read Next?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded