Netskope Global Technical Success (GTS)

Prevent Personal Gmail Account Integration in Microsoft Outlook native application

Netskope Cloud Version - 120

Objective

Restrict end-users from adding personal Google Gmail accounts to the Microsoft Outlook native application

Prerequisite

Netskope SWG license is required

Context

This document provides step-by-step instructions for disabling the ability of end-users to add personal Google Gmail accounts to their Microsoft Outlook native applications.

Do You Know?

• Microsoft Outlook native application uses Certificate pinning.
• What is Certificate pinning?

Certificate pinning is a security technique used to enhance the protection of network communications by ensuring that an application only trusts a specific SSL/TLS certificate or a set of certificates. 

• Because the Microsoft Outlook native application employs certificate pinning, Netskope cannot perform SSL decryption on traffic generated by Microsoft Outlook.
• Without SSL decryption, the following controls cannot be applied in realtime:

1. Netskope Data Loss Prevention (DLP)
2. Netskope Threat Prevention
3. Netskope Real-time Policy Controls for Post, Upload, Download and other activities

• By default, traffic from the Microsoft Outlook native application is included in the Netskope Client steering exception.

Details

• Launch the Microsoft Outlook Native Application, then follow the steps below:

Lab recreate Operating System - macOS

Image 1

Image 2

Image 3

• Above reference image 1, 2, 3 are from Microsoft Outlook Native Application. Post following image 3, Microsoft Outlook native application redirects the traffic to the browser for the below URL 

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?scope=profile%20email%20https%3A%2F%2Fmail.google.com%2F%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuser.emails.read%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuser.birthday.read&redirect_uri=https%3A%2F%2Folmoauth.outlook.com%2Fapi%2Fgoogleoauthredir%2Fcom.microsoft.office.outlook%3A%2Fmac%2Fgoogle%2Foauth2redirect&client_id=445112211283-sk04feuogpcjd3dq8eshrdnr4bpm1sfk.apps.googleusercontent.com&login_hint=xxxxxxxxxxxxsingh%40gmail.com&state=264A9C75-3294-4414-A80F-54ACAD2FE471&response_type=code&access_type=offline&prompt=consent&code_challenge=a7Hz1mbdv0IKTCegZsruNH8ALyaHxcmuQ9et0BJwVNY&code_challenge_method=S256&enable_granular_consent=true&service=lso&o2v=2&ddm=0&flowName=GeneralOAuthFlow
 

Image 4

• ‘accounts.google.com’ domain is responsible for Google suite user authentication
• Traffic from the Microsoft Outlook Native Application will be bypassed by the Netskope Client, while browser-based traffic will continue to route through the Netskope Client.

Reference - Netskope Client Logs

2024/10/21 19:50:57.958787 stAgentNE p70938 t21799 info bypassAppMgr.cpp:1472 BypassAppMgr bypassing flow to exception host: mobile.events.data.microsoft.com, process: microsoft outlook, Dest IP: 20.189.173.12, Dest Port: 443

2024/10/21 09:05:06.905974 stAgentNE p41745 t10527 info tunnel.cpp:972 nsTunnel TLS 7sessId 501] Tunneling flow from addr: 1.0.0.1:49636, process: google chrome helper to host: accounts.google.com, addr: 74.125.68.84:443 to nsProxy

Configuration

• Create a custom URL category 

Path: Netskope Tenant UI >>> Policies >>> Profile - - - URL Lists

Path: Netskope Tenant UI >>> Policies >>> Profile - - - Custom Categories

• Real-time protection policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Verification

Post following image 3, Microsoft Outlook native application redirects the traffic to the browser and the results will be the below

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.