Process
olk.exe
olk.exe is the new Outlook for Windows, Microsoft's WebView2-based replacement for the classic outlook.exe mail client. It is a Microsoft Store app that runs Outlook on the web inside an embedded Chromium engine, so it behaves more like a sandboxed browser than the old desktop client.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Analysis
olk.exe is the new Outlook for Windows, Microsoft's rebuilt mail and calendar client. Under the hood it is essentially Outlook on the web wrapped as a desktop app: it renders with WebView2, the same Edge and Chromium engine browsers use, so it runs one or more msedgewebview2.exe children. It ships as a Microsoft Store app installed under C:\Program Files\WindowsApps\Microsoft.OutlookForWindows_..., signed by Microsoft, and the versioned folder name changes with each update.
Because it is web-based, its mail is a cloud cache rather than a classic mailbox file: there is no OST or PST by default, and per-user state, including cached messages, attachments, and the signed-in account list, sits under %LocalAppData%\Microsoft\Olk as a Chromium-style profile. It also drops the old extensibility model. Where classic Outlook ran VBA macros, COM add-ins, custom forms, and an editable home page, the new client supports only sandboxed web add-ins.
Legitimately, olk.exe runs on the desktop parented by explorer.exe and talks to Microsoft 365. A copy running from outside the WindowsApps package, or the client being upstream of a shell, is not.
As a mail client, olk.exe is a delivery point for phishing (T1566): a spearphishing link or attachment arrives by email, and execution begins when the user opens it (T1204). Because attachments open in their associated application and links open in a browser, the program that actually runs is usually a child of that handler or of the WebView2 process rather than of olk.exe itself, so the parent chain after a message is opened is what ties the activity back to mail.
The new client removes much of classic Outlook's on-host persistence surface: no VBA macros, no COM add-ins, no custom forms, and no editable home page, with web add-ins confined to the sandboxed web context. The persistence that remains is server-side, in the mailbox: inbox rules that auto-forward or redirect mail (T1137.005) sync to the account regardless of client and do not appear as local olk.exe artifacts. The cached messages and attachments that do sit on the host are in the Chromium profile and IndexedDB under %LocalAppData%\Microsoft\Olk.
- Image path outside the
C:\Program Files\WindowsApps\Microsoft.OutlookForWindows_*package - olk.exe spawning
cmd.exe,powershell.exe,wscript.exe, ormshta.exe, or an opened attachment doing so - Outbound connections from olk.exe to endpoints outside Microsoft 365
- New mailbox inbox rules that auto-forward or redirect mail
Telemetry
Not observed.
Not observed.
- https://attack.mitre.org/techniques/T1566/001/
- https://attack.mitre.org/techniques/T1566/002/
- https://attack.mitre.org/techniques/T1204/001/
- https://attack.mitre.org/techniques/T1204/002/
- https://attack.mitre.org/techniques/T1137/005/
- https://learn.microsoft.com/en-us/microsoft-365-apps/outlook/overview-new-outlook-windows
- https://learn.microsoft.com/en-us/microsoft-365-apps/outlook/administration/architecture-changes-new-outlook