InfoSec Blog - Office365 Add-ons are Risky!

December 6, 2017

Office 365 is a widely adopted collaboration and content management platform that is often extended using third-party software. Many companies offer "free" tools, services, plug-ins, or widgets that provide extra features and functionality within Office 365. Use of these tools generally requires registration on the site and acceptance of companies' terms of use. Some examples of third party add-ons include Boomerang and Trello.

By nature, third-party applications pose a significant security risk. Although Microsoft takes great care to secure Office 365 environment, this effort can be negated by granting a potentially insecure third-party vendor permission to access customers' data. In order to publish an application in Office 365, vendors need to meet specific requirements, but Microsoft cannot verify the safety of every application. Therefore, it is important to review each application carefully, with particular emphasis on what data it has access to, as well as privacy and security policies of the vendor.


The risks of using third-party apps are based on the following critical issues:

  • Data privacy and protection
    There is a possibility that customers' personal information which is collected while signing up for the services opens up opportunities for its unauthorized disclosure. Some third-party tools use questionable practices in terms of private data collection. Some collect data in the background, which is aggregated into profiles and then sold.

  • Business continuity is not guaranteed
    The University does not have any influence over third-party applications, which means there is a risk that the product could be discontinued at any time without prior notice, in case of malfunction or error in the service, for example.

  • Legal uncertainty
    The terms of use of third-party tools may be changed without notice. A service that was once free may suddenly bring about legal or financial obligations for the University. The company that developed the tool could also be sold to a competitor that has different intentions for the use of the collected data. The privacy policy of the service provider may vary.

  • Questionable business practices of some add-on providers
    The business model of some add-on distributers is based on the sale of user data. Users are generally kept in the dark about which data is being sold to whom. Several data vendors even offer so-called “Developer Toolkits” as free add-ons that can be used to collect user data and turn it into profit.

  • Add-on accessing internal environment
    When users enable add-ons using their University's credentials, a pathway is opened between University's domain and the add-on. This path is open in an "always on" manner. This means that if an add-on has access to manage and delete users' files , it may do so around the clock. The pathway creates the potential for exploitation if the add-on is not trustworthy, or the add-on was compromised. If an add-on enabled in your environment is compromised by a hacker, the hacker can act on behalf of the user by leveraging the permissions granted to the add-on.


At the University of Guelph, we take security and privacy of our institution’s data very seriously, and therefore have implemented a process to disable add-ons by default. When requests are received to enable add-ons CCS will analyze the application against pre-defined criteria to ensure it is safe to implement. 


Written By: Natalia Dashevska (Analyst 3, Content and Document Management)