Mitigating Risks of Using the Autofill Feature in Outlook

Email Security

Email Security Is a Must For End Users

To save time when composing a new email, many people will type the first letter of a well known email address, then use the TAB key to select the first email address that shows up in the dropdown list.  That dropdown list, known as the auto-complete list, autofill, or sometimes nicknames, gets populated whenever a new email address is typed in and that email is sent.

A problem arises when an unsuspecting user types in an email address that lands just above the usual, expected email address.  For instance, let’s say I want to send an email to sales@sperrysoftware.com.  This is a common occurrence, as I use my Inbox as a to-do list.  Then one time I send an email to sales@sperryshoes.com.   Then the next time I compose a new email, type an “s”, and perhaps even see “sales@”, hit the TAB key, and continue on my merry way.  Unbeknownst to me, sales@sperryshoes.com has appeared in the To list, potentially exposing the information in the email to parties outside of the company.

This is not an uncommon occurrence.  In 2014 a Goldman Sachs receptionist sent a misaddressed email, and most recently in 2017 a misaddressed email from WilmerHale revealed delicate information.  And I’ll bet that it happens a lot more frequently than is given credit because it is a source of embarrassment for both parties.  Just try searching for “sent email to wrong person”.

One thing some administrators like to do is to shut off the feature altogether.  The problem with this solution is that it reduces productivity because users will now have to fully type each email address, even if they are frequently referenced and in the same company.

Sperry Software recently had a large firm come to us with this problem, and here’s what they asked:

“Hi Mike,

As you know we’ve been working hard to control unauthorized disclosures through email. Users accidently select the wrong name with autofill so we have turned off autofill for high-risk groups. This has caused some heartburn for those employees. We truly only care about external email addresses as it’s not a UD if an employee accidently sends something to another employee.
 
So let’s say I send (2) emails today, one to mike.sperry@sperrysoftware.com and one to mike.spencer@supersoftware.com The next day I want you send you another email, I start typing in the to: line and I hastily select Mike Spencer instead. If I could clear the external contacts (only) every day I could significantly decrease the risk without disabling the autofill feature for internal employees.
 
So here’s the question…can you build an app that will only flush external email addresses (anything outside our .com domain) from autofill? This would allow us to turn autofill back on and then flush external email addresses on a daily basis?
 
We reached out to Microsoft but they do not provide this functionality.

[Name Withheld]”

We created a solution for them – the Autocomplete Manager add-in for OutlookThis add-in will automatically clear the auto-complete list each time you start Outlook, except that it has the option of only removing those email addresses that do not belong to your company domain.  This results in the best of both worlds, allowing productivity to remain high while at the same time lowering the risk of a misaddressed email.