On a recent support case a customer noted that an application named “Office 365 Shell WCSS-Client” was found in his Office 365 and Azure AD sign in security logs. This customer was concerned that this may be some type of malware. After searching public documentation we could not find any information on what this application was, so we asked the product engineering teams to see if they could explain. Our Office 365 UX team provided this very helpful description of what this application is and that it should not be viewed as malware:
“Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser. The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more.
The suite header needs authentication to do the following:
* Get information about the user’s licensing state, so that we know what apps to show in the app launcher
* Connect to services that provide information about most recently used documents, so that we can show those in the app launcher
* Connect to Exchange, so that we can provide mail and calendar notifications
* Authenticate against the Microsoft / O365 graph, so that we can get and set user preferences for things like language, user theme and other O365 settings
There are different providers for those different things, necessitating different auth exchanges. These exchanges happen without direct user intervention, when a page hosting the shell code is loaded. The shell code, workload-specific code (e.g. SharePoint) and the browser all cache different parts of this information in different ways, so that pattern might not always line up for each user in each workload, but multiple auth exchanges here are the norm. A typical user navigating through different Office365 workloads can expect to see several different requests such as shown in the logs”O365 Product Engineer
Hopefully this helps someone understand what this application is in the future when performing a similar audit of their security logs in Office 365 or Azure AD.