As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.
Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actually making the connection.
Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!
Cloud-first, in all the wrong ways. It's supposed to be a local app..
I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...
We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P
Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology" actually means "This is no longer really a local IMAP client".
> I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.
> Cloud-first, in all the wrong ways. It's supposed to be a local app..
It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".
Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.
But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.
Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.
I might be out of touch with security nowadays, but could there be a reasonable explanation on Microsoft’s part here in that they wanted to try and help prevent the dime-a-dozen malicious attachment attacks that we’ve all heard about? Don’t get me wrong, I’m no stranger to Microsoft’s strategies— opt-out telemetry, Cortana, bing search in the system tray, etc. It’s not all fueled by just this one particular propriety that I brought up, I know it’s also got a lot to do with their way of pushing their products onto their users with annoying opt-out (at best) features that everyone might not want, that serve to push whatever it is they’re trying to sell to their users.
Point is, at least this specific gripe, for what it’s worth I can see some valid justification for. And if this is new behavior that they intend to stick with, I wouldn’t be surprised if they did improve it over time (although I also wouldn’t be surprised if it stayed as much of an annoyance as you described— bing search in windows remains an unchecked crime against humanity to this very day!)
Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).
New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.
Whoever made the decisions on this should rethink their career.
This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.
This will generate tickets for you and you will direct them to use plain local IMAP clients instead.
This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.
It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.
My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot
You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).
It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.
Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.
I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.
You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.
The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.
* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.
This is the horrifying core issue: "When creating an IMAP account, c't was able to record that the target server, login name and password were being transferred to Microsoft's server. Although TLS protected, the data in the tunnel runs to Microsoft in plain text. Without informing or asking, Microsoft grants itself full access to the IMAP and SMTP access data of users of the new Outlook."
To be clear: this is for accounts not hosted on Microsoft servers. They likely copy all of your existing mails to their servers, and any future mails sent or received also run through their servers.
This shouldn't be just a fine. They exfiltrate a users credentials for another service without explicit consent and intercept a confidential communication channel between the user and their mail provider. This is straight up criminal behavior and should lead to jail time for the responsible person.
Because Europe heavily depends on the US for its defense and because most of MS is by now an extension of the US establishment from a strategic pov (the dividends and the profits still go to MS’s private investors, many of them Americans, but that’s not what the US establishment is really after)
When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
The dark patterns pushing content to one drive from office apps and web access opening attachments and keeping them in one drive is another example of this data grab.
It’s an example of shareholder value trumping customer value, the primary purpose of cloud is to make you pay more without having to provide more in return.
> When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
While I agree with your other points, I'm not sure how this one works. If you're using Office365, you're already having your mail at least go through their servers. What difference does IMAP make to their snooping intentions?
This attack targets people's personal accounts. Many people have Office 365 because their work requires it, so they have to use the Outlook app for that. So if those people then choose to add their personal account to the same mail client, Microsoft can also snoop on the private correspondence of their captive corporate audience.
The majority seems to like one-drive. In theory having everything in one place sounds great. Few people think long term. Customer value trumps customer value if you ask me. IT departments and clueless users love MSFT and that will never change. Embrace it.
Yes, but mostly internal corporate emails, stretching back decades, with most of the content about how to violate user privacy using various sneaky schemes. I wonder what kind of A.I. would result from training on such content.
Does the crystal ball say anything about what’s going to happen if Copilot or Bing start revealing non-public information to anyone who asks? It’s bound to happen if they train on non-public information. Imagine Microsoft accidentally releasing other companies’ corporate strategies and proprietary internal tech, or people’s personal finances and private social interactions. I would foresee both major litigation and government regulation coming down pretty hard. I would also expect a dramatic migration away from the product if something like that came to light. I honestly hope they’re smarter that this- training on data without explicit permission is already one of the biggest problems with AI efforts.
You use public data only for your external-facing products like Copilot and Bing.
You use all data, public and private, for your in-house skunkworks LLM-AI used by vetted, NDA-bound staff and execs.
Bing won't be able to answer questions like "What are the monthly active user counts for CoolService LLC?" or "What are the manufacturing processes used at Gadgetmaster International?" but maybe DarkBing will.
Even if LLMs aren't good enough to deliver those answers today, they might be in five or ten years, and in the meantime you want to fill the pool of data you're going to feed it.
Cynical speculation? Yes. Eventually possible? Maybe...
I'm not surprised to be honest because the 'new' outlook is simply the old office 365 version of Outlook Web Access in an element wrapper. They don't seem to have added local storage or local imap support but they simply sync your mail into their cloud instead.
I wouldn't be surprised if this is a ploy to offer users a 'migration' to a paid office 365 subscription later.
The old windows mail was ok even though it wasn't very full featured.
I can't wait for a "Mail" app that can't be properly removed, and keep restarting itself with the computer just to nag you to upgrade from the tray, like they did with One Drive.
That's how Outlook on Mac already works. It forces "New Outlook" every time there's an update, and you can't avoid the switch. Worse, even when you switch back to "Old Outlook" it used to mess with your settings.
If this is now simply a way to refresh the snagged IMAP credentials so they can ready your email, then it explains a few things.
Stop using Windows.
It is foolish to assume that any data on a Windows machine can stay out of the Microsoft cloud.
E.g. Microsoft Edge on first launch can import bookmarks+stored passwords from Firefox (AFAIK without any user interaction, unless I clicked without thinking), and it also defaults to uploading this data to the Microsoft cloud (unless you're using a local account?).
Yep, I finally made the cut after they by default hijack your filesystem to onedrive. They can literally delete offline files.
I was utterly shocked to find Linux Desktop has more uptime than Windows. Windows forced updates caused so many issues dealing with autosaves, I was spending like 5-10 minutes per day reopening all my programs for work.
Those random linux annoyances you need the terminal for? I had like 1 or 2 of them during month 1, solved faster than a single Forced Windows Reboot. Fedora been flawless 5 months later.
The only terminal work I do is opening ports for my kid's games. It really is the year of the Linux Desktop. Its utterly shocking to me I'm saying it, I was a hater for so long.
I use Windows for work because that's what corporate likes. But at home I've been running only Linux on laptops and desktops since 2006. In 2020, I switched my mom's home computer to linux. It's been a joy.
Why does anyone use Windows at home anymore? I guess gaming is still an issue?
Er....no?
Though i do spend an inordinate amount of time closing as many holes as possible.
Unfortunately, windows is ok. The telemetry, ands and other bullshit is embarrassing but the software i run is on windows.
Tried Linux, various ones, but I spent more time messing about that (software didn't cut it, drivers were an arse for audio, graphic setup was strange) it was a relief to go back.
Linux reminds me of w3.1 and all that memory allocation bollocks just to run a game.
I choose my lazy acceptance, combined with 'as much as I can do to protect myself', over beating my head over a whole operating system that doesn't cut it for what i require.
I won't entertain macs as i trust apple even less (for being closed).
Some while ago, there was a bit of backlash over their re-design, but after actually using the more recent versions, I have to say that they did a good job - you can toggle the display density of the UI elements and it's still a good mail client with reasonable performance and usability.
I can even sign e-mails with OpenPGP and did you know that it also has a built in RSS feed reader (a bit clunky, but having news sites/blogs be a folder that's right next to my e-mail accounts works brilliantly well)? In addition, I have it both on my Windows and Linux machines, surprisingly consistent across the board.
Honestly, I couldn't be happier. Maybe also Roundcube hosted on VPSes for my own development mail servers when I don't feel like adding bunches of accounts to Thunderbird, but it's really nice that there's software like this out there in the first place!
There's a small command line tool around (can't recall the name, sorry) to convert message bases and contacts from Outlook format so that they can be imported into Claws Mail. I once did that at a workplace where they were having all sort of problems with Outlook and a fairly big mail archive and saw people dropping their jaws when looking at the difference in search speed. Give it a try.
If, like many of us, you work in an org that refuses to authorize Thunderbird or anything else for IMAP+Oauth2 to Exchange Online then there are no other solutions. Outlook is e-mail, e-mail is Outlook.
The online school I’m attending is like this with its email. My options are to run the Outlook for Mac desktop app (which oddly seems to be a different beast than “new” Outlook on Windows) or keep Outlook webmail open in a tab. Not even Apple Mail via its Exchange support is permitted.
I ultimately landed on keeping the desktop app open to reduce browser clutter and for the icon notification badge so I don’t miss any important emails.
This is what is so annoying with companies these days. Microsoft has them by the #%!!$ and they’ll continue taking all the productivity loss and other risks just so someone can check a box and say “We trust in Microsoft to manage this, and we’re off the hook.”
There are solutions like the Owl extension for Thunderbird, but that’s for the adventurous ones who want to take risks.
I use eM Client and I recommend it. It works super good, no issues with GMail calendar, Exchange server or any other weird quirks like Thunderberd (used to) have.
The disadvantages are that its paid (one time payment) and Windows only (no linux version).
Windows now directly offers OpenSSH and a decent modern terminal app, so while PuTTY still works it’s no longer necessary for accessing mutt over SSH from Windows. Also with WSL you can also run mutt locally on Windows within a userland Linux distro like Ubuntu or Debian.
I switched to Mailspring a year or two ago and am very happy about it. It's based on electron so here be dragons, but does the job quite well. It's simple and basic and no fuss while not being an eyesore. Basically, a clone of the Mail app on macOS.
I've tried to use Mailspring a couple of times on Linux but apparently server syncing is still broken after 5+ years[0]. Until it works reliably I'm stuck with Thunderbird.
Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.
Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.
I filed a GDPR complaint regarding this when they released it on Mac, because it is not transparent what data Microsoft stores when you stop fetching email over their Exchange proxy. This was their response, after 3 months...
• How long is mail data fetched from the non-Microsoft server retained? On 31st day of user inactivity we mark the account for removal. The account is soft deleted, and the data is purged within a week (approximately) after that.
• What happens with an account that is no longer being used? Does the service continue fetching and “enhancing” mail data or does it happen on demand when a user opens Outlook? - If the user is not signing into the 3rd party accounts using outlook mobile, Teams for life or Outlook for Mac. We stop syncing any data after 7 days and mark the account for deletion after 30 days.
• How do I know what data the service holds? - Service holds Mail, Calendar, contacts data and profile data for the user (User provides consent to collect this data during add account flow).
• How can I make sure data is no longer retained? (e.g., does logging out from Outlook delete the mail data and credentials?) - When removing the account in Mac you can choose to "Sign Out On All Devices" which deletes the mailbox from the Microsoft Cloud (Exchange-backed mailbox where the third-party account is being synced).
I also filed a complaint about not making it clear if data is required for processing (Article 13, Section 2(e) [1]) - but the supervisory authority ignored me on that one.
To call the "new" Outlook a horrible piece of software, would be an insult to actually horrible pieces of software. They're one tier below that, wherever that is.
The fact that this is acceptable, in their narrow minds, is insane
"Although TLS protected, the data in the tunnel runs to Microsoft in plain text". What? Not sure if this is a mistranslation but this makes absolutely no sense. TLS is encryption. Why would they further encrypt it "in the tunnel"?
What they are talking about is that your passwords are uploaded via HTTPS/TLS, so an encrypted connection, but what they are sending are you full passwords in plain text over it.
It’s encrypted between the starting point (Microsoft) and your ISP.
Microsoft is the “client” in this case and just like you can read your email in Outlook or Thunderbird, MS can read all of your email that they pull over from you ISP.
Yes I know but saying TLS is 'plaintext' is completely silly. It's like saying your credit card number is transmitted in plaintext when you do a TLS ecommerce transaction.
I do understand the point that the article is making, but implying that TLS is equivalent to plaintext is just plain hyperbole. What else can Microsoft do (assuming they want to do this feature?). Encrypt it again on the client side, then put it in the TLS tunnel? It's just double encryption at that point. They need the password
FWIW the amount of users still using unencrypted IMAP is often pretty high in outlook or apple mail. Now that is a security issue. Try using a wifi packet analyzer at a large conference. I bet you'll see multiple or even dozens of plaintext IMAP passwords going thru the air.
Definitely scummy behaviour but it's funny how someone always has to bring up EEE and try their hardest to contort whatever the subject is to fit within that definition.
Back in my day we just wrote Microsoft with a dollar sign for an S
The antitrust "stuff" disappeared very quickly, 23 years ago, when George W Bush was elected President and his administration wasted no time in stopping the imminent harsh ruling against Microsoft in its antitrust trial, giving them barely a slap on the wrist, compared to the much stronger penalties they were undoubtedly facing (it was not at all unrealistic at that point to be expecting them to be broken up in some way).
Recently, Biden's administration has started changing the federal tune on antitrust, formally rejecting the intellectually and morally bankrupt Chicago School interpretation that has hobbled all antitrust efforts for decades. That's why we're starting to see some real antitrust cases again.
Privacy wise it's distasteful but it does work around a lot of IMAP's problems which still don't seem to have been fixed in the ~20 years that they've been known about...
There are no such IMAP problems, at least ever since IDLE was a thing (which arguably you could argue may have not been a thing up until the 2010s, even if it's technically from the 2000s).
It's just all political bullshit -- the same reason you can have decent IMAP clients on Android, but you can't on iOS (they have to resort to tricks like this), except if you're Apple.
The most critical is probably 1. It feels like gross negligence that Linux doesn’t dominate schools already. What could be more appropriate? It’s so educational and empowering, and a great model for much more in society.
In fact, it may not be an exaggeration to say: the only plausible explanation why Linux isn’t dominant is corruption.
Libre Office is just... not there. Something is seriously wrong with it.
Anyway, Linux Desktop is ready for the mainstream. I can typically get away with Google's suite for Office. All of my workflows work fine with Linux, and I have hobbies from 3D printing to electronics to writing to creative work.
For most users, it’d be nearly perfect, hiccup-free compatibility with Windows software and a desktop experience that is identical to that of Windows wherever practical so there is no learning curve. In other words, when users can’t tell they’re not using Windows.
Anything less won’t move the needle, at least in the short term. People don’t like change and they don’t like thinking about their tools. You see this even with macOS, where switchers only put up with learning because there’s immediate tangible benefits like long battery life and reduced heat/fan noise acting as a carrot, and even then sometimes that’s not enough and they end up falling back to Windows.
Everything will run in Azure and all apps will be web apps. You can count on that. This is a clear strategy from Nadella and I doubt anything will change his mind.
Turns out, if you are using an Oauth2 backed service (G-mail) or something like iCloud - then you are fine. It's only for local IMAP accounts (think: your ISP email account) where you type the password directly into the settings that Microsoft is doing this.
Doesn't make this any better- but before you worry that MS has your Google account password, they don't.
While it's probably not many companies that works this way, and use Outlook, I do wonder what happens if your IMAP is on a closed network.
It is completely possible to have SMTP and IMAP be on internal networks and not on the internet (SMTP obviously needs a way to rely to a internet connected buddy).
Apple has also started to try to get users to switch to their Mail app, at least on iPadOS. Every time I switch gmail accounts on the web UI in Chrome, I get a popup from Mail asking me to set the account up in Mail.
I only use Knock-OutLook for Microsoft accounts. They have my password already, so no lost security there. Synchronizing email accounts is useful, but I never thought worth the hassle before or after Outlook.
Sorry I can't read german but do I understand properly that you give your gmail password to outlook (microsoft) and you are surprised that outlook does whatever it likes with the password ?
I think it's a surprise that that password is going off device. The default mail app traditionaly and sensibly is a local only client and and "sync" features have not behaved in this fashion in the past.
It’s funny but anyone who’s ever used Gmail’s “Accounts” tab on its options page, has voluntarily given Google their passwords to keep forever.
Now Microsoft wraps their web UI in a “native” app and everybody loses their mind.
It’s hardly unusual for an internet-connected app to be at least partially run in the cloud in 2023. Much less unusual when it’s something related to MS365 and AI (one of the banner features of this new release)
False equivalence. In one case, credentials are deliberately given for remote use. In the other case, credentials are expected to be used for a direct connection, but are instead taken for remote use.
One is an explicit delegation, while the other is a man-in-the-middle attack.
I don’t think so. Remote or direct is only something we think about. The general user could not care less nor know the difference. Hardly a false equivalence.
I installed the new Outlook just a few days ago and I almost immediately started to receive emails like "I recorded you, pay or I'll share your files with everyone" on my customized email address. I thought it was a coincidence but now I am beginning to have doubts.
German IT magazine has uncovered that with Windows 11 Update 23H2 if you accept the "recommended" new version of Outlook the client may be uploading your secret IMAP credentials to the Microsoft cloud.
If you are trying to add a "local" IMAP/SMTP account, there is short notice that Outlook needs to "synchronize" your IMAP account with the Microsoft cloud.
It does NOT explain that what this actually means is that it will send all your credentials including your passwords in clear text to Microsoft.
Microsoft's support document to this also only mentions:
"Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers."
No word that it means that they are uploading your passwords.
This is evil. And at least in the EU, illegal.
I have not yet found any report on this in english-language IT media, and therefore have provided a Google Translate link to the report in German.
Yeah, it's true. c't magazine is the biggest IT print publication in the EU, and is highly respected and known for investigative journalism. It looks like the pictures provided which show what they captured is sent to Microsoft (your passwords in plain text) aren't shown if the page is viewed via Google Translate.
It is not stealing anything because you get a dialog asking you for permission to do it. If you give someone permission to take something, they are not stealing it.
> It is not stealing anything because you get a dialog asking you for permission to do it
That dialog talks about sync but notably does not mention credentials at all.
Surely this is instance where informed consent is needed, with full disclosure of what's going to happen.
Something along the lines of: "this means your IMAP username and password will be passed to Microsoft where we will store it indefinitely so we can regularly log into your IMAP server to sync your messages".
Of course, users are less likely to consent if you explain exactly what's going to happen...
The dialog talks about needing to synchronize your email account. It then goes on to tell that contacts and events are not synchronized. No one will reasonably suspect your authentication credentials are send to Microsoft. Such reasoning of this dialog will never fly in a German court.
Consent must be specific, informed, freely given and unambiguous. The user must be able to revoke consent at any time, as easy as it was providing the consent before.
Very clearly the Microsoft "consent" info does not tick any single one of those items.
There is much to criticize about the EU. But where the US has brought the world "By farting during installation of this software you consent to us stopping by and taking your first born child" kind of EULAs / "choices", EU's GDPR is forcing big tech to treat humans as humans again (instead of just data).
I disagree. I think that you can’t consent to something you don’t know about and certainly not something you don’t understand. This includes every single eula that everyone agrees to without reading. In my opinion that is not an agreement, as an agreement requires informed consent.
Unfortunately our legal system strongly disagrees with me but that’s my two cents
I thought that's what every email provider does? Fastmail has the same feature where you can provide your credentials and they'll fetch the emails from other providers for you.
If I instruct fastmail or another provider to fetch mail from a different email provider on my behalf so that I have it in one place then that is a deliberate decision I make. If I connect to my mail provider via IMAP/SMTP from a local application (Outlook, Thunderbird, mutt or whatever) I do not expect my credentials to be exfiltrated to a third party so that they can also fetch my mail. In fact, I would consider that to be criminal behavior if not VERY clearly communicated, with all it's implications.
Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
The Outlook app for Android does the exact same thing, copying your email to the Microsoft cloud and then serving the emails to your phone from Microsoft's servers.
> Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
Is it really? The comments on the original Heise article mention that Heise actually misunderstood it and it's basically just a link to the web interface in the task bar so it's not a local app.
I've had all my Google Translate posts taken down with the ask to post it in the original language, but this one somehow stays up. Mysterious are the ways of the mods.
As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.
Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actually making the connection.
Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!
Cloud-first, in all the wrong ways. It's supposed to be a local app..
Spot on.
I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...
We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P
Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology" actually means "This is no longer really a local IMAP client".
> I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.
11 replies →
They have been doing this for years. The mobile outlook app has had microsoft servers check for mail on the user's behalf since forever.
> Cloud-first, in all the wrong ways. It's supposed to be a local app..
It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".
Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.
But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.
Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.
New Outlook, which forgot to notify me that I had a meeting coming up despite having notifications set for it.
In a corporate office environment, that’s one of its two jobs.
4 replies →
I might be out of touch with security nowadays, but could there be a reasonable explanation on Microsoft’s part here in that they wanted to try and help prevent the dime-a-dozen malicious attachment attacks that we’ve all heard about? Don’t get me wrong, I’m no stranger to Microsoft’s strategies— opt-out telemetry, Cortana, bing search in the system tray, etc. It’s not all fueled by just this one particular propriety that I brought up, I know it’s also got a lot to do with their way of pushing their products onto their users with annoying opt-out (at best) features that everyone might not want, that serve to push whatever it is they’re trying to sell to their users.
Point is, at least this specific gripe, for what it’s worth I can see some valid justification for. And if this is new behavior that they intend to stick with, I wouldn’t be surprised if they did improve it over time (although I also wouldn’t be surprised if it stayed as much of an annoyance as you described— bing search in windows remains an unchecked crime against humanity to this very day!)
Do not firewall them off. Serve different content and break functionality in a self-explanatory way (i.e. an email that tells what's wrong).
This is nothing user-facing. Microsoft will run that in the background, firewalling it off breaks it, so they'll have to act.
2 replies →
i can't wait to have to answer an email-captch for every imap connection in the future, just because Microsoft decided to do an Apple.
Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).
New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.
Whoever made the decisions on this should rethink their career.
How else could Microsoft guarantee that they get to read your email like Google does?
> firewall azure ranges
This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.
This will generate tickets for you and you will direct them to use plain local IMAP clients instead.
This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.
Microsoft has been doing this for many years for mobile Outlook, so it seems to work well enough (unfortunately).
Curious why they are making the connection on your behalf. Could it have anything to do with LLM’s? Either way, if I were IT, I’d be livid.
It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.
3 replies →
My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot
Limit Azure connections to 500 b/s. Make them wait and keep slowing moving connections active.
And you still having your users complaining to you not to Microsoft.
1 reply →
Is MS sharing the list of IPs to firewall, somewhere?
> Cloud-first
Well, IMAP is already "cloud-first" by itself; so this is "cloud first and second", also known as MITM.
Sounds like a government-requested "feature".
You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).
It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.
[dead]
Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.
I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.
You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.
The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.
* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.
> As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone
Why would they? The users can do whatever the hell they want with their credentials
1 reply →
This is the horrifying core issue: "When creating an IMAP account, c't was able to record that the target server, login name and password were being transferred to Microsoft's server. Although TLS protected, the data in the tunnel runs to Microsoft in plain text. Without informing or asking, Microsoft grants itself full access to the IMAP and SMTP access data of users of the new Outlook."
To be clear: this is for accounts not hosted on Microsoft servers. They likely copy all of your existing mails to their servers, and any future mails sent or received also run through their servers.
How is that not a $1 billion fine under European law?
This shouldn't be just a fine. They exfiltrate a users credentials for another service without explicit consent and intercept a confidential communication channel between the user and their mail provider. This is straight up criminal behavior and should lead to jail time for the responsible person.
Because Europe heavily depends on the US for its defense and because most of MS is by now an extension of the US establishment from a strategic pov (the dividends and the profits still go to MS’s private investors, many of them Americans, but that’s not what the US establishment is really after)
2 replies →
When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
The dark patterns pushing content to one drive from office apps and web access opening attachments and keeping them in one drive is another example of this data grab.
It’s an example of shareholder value trumping customer value, the primary purpose of cloud is to make you pay more without having to provide more in return.
> When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
While I agree with your other points, I'm not sure how this one works. If you're using Office365, you're already having your mail at least go through their servers. What difference does IMAP make to their snooping intentions?
This attack targets people's personal accounts. Many people have Office 365 because their work requires it, so they have to use the Outlook app for that. So if those people then choose to add their personal account to the same mail client, Microsoft can also snoop on the private correspondence of their captive corporate audience.
The majority seems to like one-drive. In theory having everything in one place sounds great. Few people think long term. Customer value trumps customer value if you ask me. IT departments and clueless users love MSFT and that will never change. Embrace it.
> seems like a strategic goal to capture our data.
Sure is good they're not an ad company then. /s
My magic crystal ball just showed me that they're going to use your email for training AI models.
They're just trying to catch up with Google in any and every way they possibly can, users trust, privacy and security be damned.
I don’t know about this. Microsoft would already have a huge body of e-mail to train on with Microsoft 365 and outlook.com if they wanted to I guess?
Yes, but mostly internal corporate emails, stretching back decades, with most of the content about how to violate user privacy using various sneaky schemes. I wonder what kind of A.I. would result from training on such content.
3 replies →
Catch up? This is an attempt to re-claim, or solidify, monopoly.
Does the crystal ball say anything about what’s going to happen if Copilot or Bing start revealing non-public information to anyone who asks? It’s bound to happen if they train on non-public information. Imagine Microsoft accidentally releasing other companies’ corporate strategies and proprietary internal tech, or people’s personal finances and private social interactions. I would foresee both major litigation and government regulation coming down pretty hard. I would also expect a dramatic migration away from the product if something like that came to light. I honestly hope they’re smarter that this- training on data without explicit permission is already one of the biggest problems with AI efforts.
You use public data only for your external-facing products like Copilot and Bing.
You use all data, public and private, for your in-house skunkworks LLM-AI used by vetted, NDA-bound staff and execs.
Bing won't be able to answer questions like "What are the monthly active user counts for CoolService LLC?" or "What are the manufacturing processes used at Gadgetmaster International?" but maybe DarkBing will.
Even if LLMs aren't good enough to deliver those answers today, they might be in five or ten years, and in the meantime you want to fill the pool of data you're going to feed it.
Cynical speculation? Yes. Eventually possible? Maybe...
> They're just trying to catch up with Google in any and every way they possibly can
Except when it comes to AI, Google is the one playing catch-up to Microsoft/OpenAI.
I'm not surprised to be honest because the 'new' outlook is simply the old office 365 version of Outlook Web Access in an element wrapper. They don't seem to have added local storage or local imap support but they simply sync your mail into their cloud instead.
I wouldn't be surprised if this is a ploy to offer users a 'migration' to a paid office 365 subscription later.
The old windows mail was ok even though it wasn't very full featured.
I can't wait for a "Mail" app that can't be properly removed, and keep restarting itself with the computer just to nag you to upgrade from the tray, like they did with One Drive.
Don't wait, leave. Get on an OS that serves you.
4 replies →
That's how Outlook on Mac already works. It forces "New Outlook" every time there's an update, and you can't avoid the switch. Worse, even when you switch back to "Old Outlook" it used to mess with your settings.
If this is now simply a way to refresh the snagged IMAP credentials so they can ready your email, then it explains a few things.
I have now translated it as a PDF using Deepl. Much better translation, and you can see the images, too:
https://www.scamp.de/stuff/heise_windows_outlook_stealing_im...
A translation by the original source is now available: https://www.heise.de/news/Microsoft-lays-hands-on-login-data...
thanks. with the screenshot of the json payload it's quite frightening and explicit. they did not even try to conceal it...
What's left now, for Windows users? I think the only solution is Thunderbird
Stop using Windows. It is foolish to assume that any data on a Windows machine can stay out of the Microsoft cloud.
E.g. Microsoft Edge on first launch can import bookmarks+stored passwords from Firefox (AFAIK without any user interaction, unless I clicked without thinking), and it also defaults to uploading this data to the Microsoft cloud (unless you're using a local account?).
Yep, I finally made the cut after they by default hijack your filesystem to onedrive. They can literally delete offline files.
I was utterly shocked to find Linux Desktop has more uptime than Windows. Windows forced updates caused so many issues dealing with autosaves, I was spending like 5-10 minutes per day reopening all my programs for work.
Those random linux annoyances you need the terminal for? I had like 1 or 2 of them during month 1, solved faster than a single Forced Windows Reboot. Fedora been flawless 5 months later.
The only terminal work I do is opening ports for my kid's games. It really is the year of the Linux Desktop. Its utterly shocking to me I'm saying it, I was a hater for so long.
5 replies →
I use Windows for work because that's what corporate likes. But at home I've been running only Linux on laptops and desktops since 2006. In 2020, I switched my mom's home computer to linux. It's been a joy.
Why does anyone use Windows at home anymore? I guess gaming is still an issue?
2 replies →
>Stop using Windows.
Er....no? Though i do spend an inordinate amount of time closing as many holes as possible. Unfortunately, windows is ok. The telemetry, ands and other bullshit is embarrassing but the software i run is on windows. Tried Linux, various ones, but I spent more time messing about that (software didn't cut it, drivers were an arse for audio, graphic setup was strange) it was a relief to go back. Linux reminds me of w3.1 and all that memory allocation bollocks just to run a game. I choose my lazy acceptance, combined with 'as much as I can do to protect myself', over beating my head over a whole operating system that doesn't cut it for what i require. I won't entertain macs as i trust apple even less (for being closed).
Some people can't stop using Windows yet. Switching to Thunderbird is a good step toward being able to stop using Windows.
> I think the only solution is Thunderbird
Some while ago, there was a bit of backlash over their re-design, but after actually using the more recent versions, I have to say that they did a good job - you can toggle the display density of the UI elements and it's still a good mail client with reasonable performance and usability.
I can even sign e-mails with OpenPGP and did you know that it also has a built in RSS feed reader (a bit clunky, but having news sites/blogs be a folder that's right next to my e-mail accounts works brilliantly well)? In addition, I have it both on my Windows and Linux machines, surprisingly consistent across the board.
Honestly, I couldn't be happier. Maybe also Roundcube hosted on VPSes for my own development mail servers when I don't feel like adding bunches of accounts to Thunderbird, but it's really nice that there's software like this out there in the first place!
My favorite RSS reader is Feedbro in Firefox, maybe on the minimal side but exactly what I need.
Claws Mail: powerful and lightning fast and 100% multi platform native code. (MacOS too but has to be built or downloaded elsewhere)
https://www.claws-mail.org/downloads.php
There's a small command line tool around (can't recall the name, sorry) to convert message bases and contacts from Outlook format so that they can be imported into Claws Mail. I once did that at a workplace where they were having all sort of problems with Outlook and a fairly big mail archive and saw people dropping their jaws when looking at the difference in search speed. Give it a try.
Claws is GTK+, so it's not native.
7 replies →
If, like many of us, you work in an org that refuses to authorize Thunderbird or anything else for IMAP+Oauth2 to Exchange Online then there are no other solutions. Outlook is e-mail, e-mail is Outlook.
You don’t have to use that for your private email though.
The online school I’m attending is like this with its email. My options are to run the Outlook for Mac desktop app (which oddly seems to be a different beast than “new” Outlook on Windows) or keep Outlook webmail open in a tab. Not even Apple Mail via its Exchange support is permitted.
I ultimately landed on keeping the desktop app open to reduce browser clutter and for the icon notification badge so I don’t miss any important emails.
This is what is so annoying with companies these days. Microsoft has them by the #%!!$ and they’ll continue taking all the productivity loss and other risks just so someone can check a box and say “We trust in Microsoft to manage this, and we’re off the hook.”
There are solutions like the Owl extension for Thunderbird, but that’s for the adventurous ones who want to take risks.
I use eM Client and I recommend it. It works super good, no issues with GMail calendar, Exchange server or any other weird quirks like Thunderberd (used to) have.
The disadvantages are that its paid (one time payment) and Windows only (no linux version).
PuTTY + Mutt? :)
I’ve done myself over the years. :)
Windows now directly offers OpenSSH and a decent modern terminal app, so while PuTTY still works it’s no longer necessary for accessing mutt over SSH from Windows. Also with WSL you can also run mutt locally on Windows within a userland Linux distro like Ubuntu or Debian.
1 reply →
That’s actually precisely what I use. :)
I switched to Mailspring a year or two ago and am very happy about it. It's based on electron so here be dragons, but does the job quite well. It's simple and basic and no fuss while not being an eyesore. Basically, a clone of the Mail app on macOS.
I've tried to use Mailspring a couple of times on Linux but apparently server syncing is still broken after 5+ years[0]. Until it works reliably I'm stuck with Thunderbird.
[0] https://community.getmailspring.com/t/disappearing-emails-de...
There is also The Bat!: https://www.ritlabs.com/en/products/thebat/
> What's left now, for Windows users? I think the only solution is Thunderbird
Microsoft OS is reading your keyboard. If they did it once, they will do it again.
Microsoft is allowed to do whatever it wants with impunity, including stealing your password and tunneling back to their servers in plain text
Wow, just wow
It's not plain text, it's encrypted via TLS
Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.
Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.
19 replies →
I filed a GDPR complaint regarding this when they released it on Mac, because it is not transparent what data Microsoft stores when you stop fetching email over their Exchange proxy. This was their response, after 3 months...
• How long is mail data fetched from the non-Microsoft server retained? On 31st day of user inactivity we mark the account for removal. The account is soft deleted, and the data is purged within a week (approximately) after that.
• What happens with an account that is no longer being used? Does the service continue fetching and “enhancing” mail data or does it happen on demand when a user opens Outlook? - If the user is not signing into the 3rd party accounts using outlook mobile, Teams for life or Outlook for Mac. We stop syncing any data after 7 days and mark the account for deletion after 30 days.
• How do I know what data the service holds? - Service holds Mail, Calendar, contacts data and profile data for the user (User provides consent to collect this data during add account flow).
• How can I make sure data is no longer retained? (e.g., does logging out from Outlook delete the mail data and credentials?) - When removing the account in Mac you can choose to "Sign Out On All Devices" which deletes the mailbox from the Microsoft Cloud (Exchange-backed mailbox where the third-party account is being synced).
I also filed a complaint about not making it clear if data is required for processing (Article 13, Section 2(e) [1]) - but the supervisory authority ignored me on that one.
[1]: https://gdpr-info.eu/art-13-gdpr/
To call the "new" Outlook a horrible piece of software, would be an insult to actually horrible pieces of software. They're one tier below that, wherever that is.
The fact that this is acceptable, in their narrow minds, is insane
I wonder if Microsoft execs themselves use this crap, and what they think of it
"Although TLS protected, the data in the tunnel runs to Microsoft in plain text". What? Not sure if this is a mistranslation but this makes absolutely no sense. TLS is encryption. Why would they further encrypt it "in the tunnel"?
What they are talking about is that your passwords are uploaded via HTTPS/TLS, so an encrypted connection, but what they are sending are you full passwords in plain text over it.
https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...
For IMAP to work you need the original password, not e.g. a hash.
Once you've decided to send the actual password, whether wise or not, the best you can do is encrypt it, and TLS does that.
What else would you expect?
16 replies →
Transit vs rest, maybe?
I suppose they'd prefer it be not transferred at all, but if it were... to be bundled up safely [for storage] before exfiltration
It’s encrypted between the starting point (Microsoft) and your ISP. Microsoft is the “client” in this case and just like you can read your email in Outlook or Thunderbird, MS can read all of your email that they pull over from you ISP.
Yes I know but saying TLS is 'plaintext' is completely silly. It's like saying your credit card number is transmitted in plaintext when you do a TLS ecommerce transaction.
I do understand the point that the article is making, but implying that TLS is equivalent to plaintext is just plain hyperbole. What else can Microsoft do (assuming they want to do this feature?). Encrypt it again on the client side, then put it in the TLS tunnel? It's just double encryption at that point. They need the password
FWIW the amount of users still using unencrypted IMAP is often pretty high in outlook or apple mail. Now that is a security issue. Try using a wifi packet analyzer at a large conference. I bet you'll see multiple or even dozens of plaintext IMAP passwords going thru the air.
1. Embrace (Sure, Outlook supports SMTP and IMAP! Kinda.)
2. Extend (New Outlook supports IMAP, but only in the sense that we copy all your stuff to our Cloud) <--- We are here
3. Extinguish (We are deprecating support for legacy e-mail protocols, but it's okay because all your old stuff is in M365 anyway)
The dream of decentralized e-mail based on open standards is dead.
Definitely scummy behaviour but it's funny how someone always has to bring up EEE and try their hardest to contort whatever the subject is to fit within that definition.
Back in my day we just wrote Microsoft with a dollar sign for an S
Do you really think this is a particularly try-hard contortion?
2 replies →
Funny how all the antitrust stuff melted away in recent years. It's almost as if the parties involved see that their interests are aligned.
I mean it's easy to claim your actions don't hurt your competitors when you haven't got any.
The antitrust "stuff" disappeared very quickly, 23 years ago, when George W Bush was elected President and his administration wasted no time in stopping the imminent harsh ruling against Microsoft in its antitrust trial, giving them barely a slap on the wrist, compared to the much stronger penalties they were undoubtedly facing (it was not at all unrealistic at that point to be expecting them to be broken up in some way).
Recently, Biden's administration has started changing the federal tune on antitrust, formally rejecting the intellectually and morally bankrupt Chicago School interpretation that has hobbled all antitrust efforts for decades. That's why we're starting to see some real antitrust cases again.
The EU has a lot of Microsoft money on their closed eyes.
Wait for "Microsoft would never!" brigade...
No, it's just that the Halloween Documents are now obsolete, not because Microsoft is kind.
It's because there are newer and better sharks out there, and you guys haven't caught up to the last 1-2 decades.
For example:
https://www.demandsage.com/gmail-statistics/
Isn't this exactly what BlackBerry used to do?
Privacy wise it's distasteful but it does work around a lot of IMAP's problems which still don't seem to have been fixed in the ~20 years that they've been known about...
There are no such IMAP problems, at least ever since IDLE was a thing (which arguably you could argue may have not been a thing up until the 2010s, even if it's technically from the 2000s).
It's just all political bullshit -- the same reason you can have decent IMAP clients on Android, but you can't on iOS (they have to resort to tricks like this), except if you're Apple.
Isn't there still a limit of one watched mailbox per TCP connection?
7 replies →
You wonder what needs to happen that would make people stop using Windows.
Shouldn't be too hard:
1. Remove it from schools so kids don't grow up used to it
2. Stop it being bundled with new PCs
3. Get companies to stop using Excel
4. Convince gaming companies to stop making first class support for games for Windows
5. Make all existing important software and games work just as well on Linux
6. Get NVIDIA to make Linux a first-class citizen
The most critical is probably 1. It feels like gross negligence that Linux doesn’t dominate schools already. What could be more appropriate? It’s so educational and empowering, and a great model for much more in society.
In fact, it may not be an exaggeration to say: the only plausible explanation why Linux isn’t dominant is corruption.
I use Excel on my mac just fine.
>3. Get companies to stop using Excel
Libre Office is just... not there. Something is seriously wrong with it.
Anyway, Linux Desktop is ready for the mainstream. I can typically get away with Google's suite for Office. All of my workflows work fine with Linux, and I have hobbies from 3D printing to electronics to writing to creative work.
1 reply →
Surely you are being sarcastic?
1 reply →
For most users, it’d be nearly perfect, hiccup-free compatibility with Windows software and a desktop experience that is identical to that of Windows wherever practical so there is no learning curve. In other words, when users can’t tell they’re not using Windows.
Anything less won’t move the needle, at least in the short term. People don’t like change and they don’t like thinking about their tools. You see this even with macOS, where switchers only put up with learning because there’s immediate tangible benefits like long battery life and reduced heat/fan noise acting as a carrot, and even then sometimes that’s not enough and they end up falling back to Windows.
> You wonder what needs to happen that would make people stop using Windows.
Treat lobby as what it really is: corruption.
I'm a dreamer, i know.
Everything will run in Azure and all apps will be web apps. You can count on that. This is a clear strategy from Nadella and I doubt anything will change his mind.
What's the difference between this and some of those other email apps like Spark?
Spark does the same thing. Infact, many email clients do this, so you may want to read the fine print before using them.
I know. That was my point. People are in an uproar, but I bet a lot of them use Spark, etc.
1 reply →
If you have large mailboxes, this would steer you toward paying for cloud storage at Microsoft, which might be a surprising bill to face.
Without google translate (german): https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...
Does this mean the new Outlook is actual malware? It's literally stealing your password.
Yes (technically). Just like OneDrive which is stealing your files. But
if you write malware to steal passwords or steal files, you go to jail for computer crimes.
If Microsoft (or FAANG) does it, it is business as usual because they pay legislators and law enforcement to close their eyes.
How is that remotely even legal? That's actively malicious behavior.
If you pay the right people, it is legal.
This could become a bit of an issue. There's a reason why you're using IMAP in the first place, typically.
Hopefully this doesn't apply to eg. Outlook365 as well.
This version of Outlook should be flagged as malware. It is a huge security flaw.
This is exactly why I wouldn't want a MS account on my local system. Without that, this wouldn't even be possible.
Turns out, if you are using an Oauth2 backed service (G-mail) or something like iCloud - then you are fine. It's only for local IMAP accounts (think: your ISP email account) where you type the password directly into the settings that Microsoft is doing this.
Doesn't make this any better- but before you worry that MS has your Google account password, they don't.
No, they only have a Oauth bearer token that lets them impersonate you to the IMAP server. But it's not your password so that's cool, right?
For Google and Apple at least, wouldn't you get a message saying that a new device has attempted to connect, asking you to confirm?
4 replies →
So just like every other connected app, right?
How are they supposed to access the emails without some sort of token?
2 replies →
While it's probably not many companies that works this way, and use Outlook, I do wonder what happens if your IMAP is on a closed network.
It is completely possible to have SMTP and IMAP be on internal networks and not on the internet (SMTP obviously needs a way to rely to a internet connected buddy).
Apple has also started to try to get users to switch to their Mail app, at least on iPadOS. Every time I switch gmail accounts on the web UI in Chrome, I get a popup from Mail asking me to set the account up in Mail.
I can't turn it off.
I only use Knock-OutLook for Microsoft accounts. They have my password already, so no lost security there. Synchronizing email accounts is useful, but I never thought worth the hassle before or after Outlook.
Sorry I can't read german but do I understand properly that you give your gmail password to outlook (microsoft) and you are surprised that outlook does whatever it likes with the password ?
I think it's a surprise that that password is going off device. The default mail app traditionaly and sensibly is a local only client and and "sync" features have not behaved in this fashion in the past.
How else are they supposed to get your emails to train their ai models?
This is why Microsoft's phone failed. They're just focusing on the wrong things.
What do you call an economy where the central establishment keeps stubbornly giving consumers things they don't want?
It’s funny but anyone who’s ever used Gmail’s “Accounts” tab on its options page, has voluntarily given Google their passwords to keep forever.
Now Microsoft wraps their web UI in a “native” app and everybody loses their mind.
It’s hardly unusual for an internet-connected app to be at least partially run in the cloud in 2023. Much less unusual when it’s something related to MS365 and AI (one of the banner features of this new release)
False equivalence. In one case, credentials are deliberately given for remote use. In the other case, credentials are expected to be used for a direct connection, but are instead taken for remote use.
One is an explicit delegation, while the other is a man-in-the-middle attack.
I don’t think so. Remote or direct is only something we think about. The general user could not care less nor know the difference. Hardly a false equivalence.
I installed the new Outlook just a few days ago and I almost immediately started to receive emails like "I recorded you, pay or I'll share your files with everyone" on my customized email address. I thought it was a coincidence but now I am beginning to have doubts.
Not to mention that Microsoft authenticator seems to be required now.
Who on earth approved something like this at Microsoft?
Nadella.
just one word: Linux
go back to Windows 10 Buy MS Office. No to O365
Why do you think Win 10 is better ? It has the same Outlook.
German IT magazine has uncovered that with Windows 11 Update 23H2 if you accept the "recommended" new version of Outlook the client may be uploading your secret IMAP credentials to the Microsoft cloud.
If you are trying to add a "local" IMAP/SMTP account, there is short notice that Outlook needs to "synchronize" your IMAP account with the Microsoft cloud.
It does NOT explain that what this actually means is that it will send all your credentials including your passwords in clear text to Microsoft.
Microsoft's support document to this also only mentions:
"Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers."
No word that it means that they are uploading your passwords.
This is evil. And at least in the EU, illegal.
I have not yet found any report on this in english-language IT media, and therefore have provided a Google Translate link to the report in German.
big if true, i mean what a footgun. Imagine the target they are painting on their back, with all those credentials now harvested.
Yeah, it's true. c't magazine is the biggest IT print publication in the EU, and is highly respected and known for investigative journalism. It looks like the pictures provided which show what they captured is sent to Microsoft (your passwords in plain text) aren't shown if the page is viewed via Google Translate.
So here is the original page URL: https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...
And here is the picture that shows what they have captured is sent to Microsoft:
https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...
2 replies →
Target ? They are very happy to share your data with 3 letter agencies. You are the target. They are the dealers.
It is not stealing anything because you get a dialog asking you for permission to do it. If you give someone permission to take something, they are not stealing it.
https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...
> It is not stealing anything because you get a dialog asking you for permission to do it
That dialog talks about sync but notably does not mention credentials at all.
Surely this is instance where informed consent is needed, with full disclosure of what's going to happen.
Something along the lines of: "this means your IMAP username and password will be passed to Microsoft where we will store it indefinitely so we can regularly log into your IMAP server to sync your messages".
Of course, users are less likely to consent if you explain exactly what's going to happen...
[flagged]
11 replies →
The dialog talks about needing to synchronize your email account. It then goes on to tell that contacts and events are not synchronized. No one will reasonably suspect your authentication credentials are send to Microsoft. Such reasoning of this dialog will never fly in a German court.
When I saw that I immediately cancled my the "new outlook" tryout and wrote in the feedback form I don't want my mails in the microsoft cloud.
At least in the EU it is.
Explained in detail, here.
https://gdpr.eu/gdpr-consent-requirements/
Consent must be specific, informed, freely given and unambiguous. The user must be able to revoke consent at any time, as easy as it was providing the consent before.
Very clearly the Microsoft "consent" info does not tick any single one of those items.
Illegal.
Or, in other words:
There is much to criticize about the EU. But where the US has brought the world "By farting during installation of this software you consent to us stopping by and taking your first born child" kind of EULAs / "choices", EU's GDPR is forcing big tech to treat humans as humans again (instead of just data).
4 replies →
https://www.law.cornell.edu/wex/informed_consent
Is it asking for informed consent for a change when the ui encourages and defaults to not keeping the system quo
> It is not stealing anything because you get a dialog asking you for permission to do it
Also, at least according to several comments on nearly any story about movie piracy, it is not stealing because all they have done is made a copy.
I disagree. I think that you can’t consent to something you don’t know about and certainly not something you don’t understand. This includes every single eula that everyone agrees to without reading. In my opinion that is not an agreement, as an agreement requires informed consent.
Unfortunately our legal system strongly disagrees with me but that’s my two cents
I thought that's what every email provider does? Fastmail has the same feature where you can provide your credentials and they'll fetch the emails from other providers for you.
If I instruct fastmail or another provider to fetch mail from a different email provider on my behalf so that I have it in one place then that is a deliberate decision I make. If I connect to my mail provider via IMAP/SMTP from a local application (Outlook, Thunderbird, mutt or whatever) I do not expect my credentials to be exfiltrated to a third party so that they can also fetch my mail. In fact, I would consider that to be criminal behavior if not VERY clearly communicated, with all it's implications.
Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
The Outlook app for Android does the exact same thing, copying your email to the Microsoft cloud and then serving the emails to your phone from Microsoft's servers.
> Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
Is it really? The comments on the original Heise article mention that Heise actually misunderstood it and it's basically just a link to the web interface in the task bar so it's not a local app.
1 reply →
The difference here seems to be transparency.
I've had all my Google Translate posts taken down with the ask to post it in the original language, but this one somehow stays up. Mysterious are the ways of the mods.
Wasn't aware of this rule, has been one of my first submissions.
If any mod wants to modify...
Original is: https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...
Deepl-Translated PDF version: https://www.scamp.de/stuff/heise_windows_outlook_stealing_im...
The mods need to sleep sometimes.
I'm fairly certain they're on different timezones and a 9h span with a front page link has been noticed by several.
1 reply →