Comment by Enderboi
2 years ago
As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.
Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actually making the connection.
Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!
Cloud-first, in all the wrong ways. It's supposed to be a local app..
Spot on.
I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...
We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P
Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology" actually means "This is no longer really a local IMAP client".
> I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.
The big logistical problem is: How do you select which newspapers to pay?
All of them? Now you've announced that you've got something to hide and are trying to to pay off newspapers to hide it. One of them is going to decide that this story is too juicy not to publish.
Only those that find out some other way and ask for comment? Well, in this case Microsoft didn't reply to c't Magazin's request for comment before publication...
2 replies →
MS (and other enterprise big tech) gets laws in their favor in the EU because the EU has no solid alternative to MS. There is no EU based big cloud provider with similar capabilities, software ecosystem, integration, nobody offering a comparable office suite, familiar operating system with legacy compatibility, collaboration platform, etc.
Even when you have solid competitors for individual components, the whole package is hard to resist. So they're stuck with MS for the moment, and slowly get absorbed in that ecosystem making it even more entrenched. But MS doesn't need to pay to get the law, they just have to let EU companies try out alternatives until they go back to being slowly boiled with MS. The EU is looking for excuses to excuse MS because everyone decided the price we all know now is worth paying to get access to a full ecosystem that fills all other needs.
Effectively the EU is "paying" MS to stay, not the other way around.
4 replies →
Why even pay newspapers, when most do not understand the problem anyway, so do not want to read about it?
Microsoft is already taking so much data, I would have trouble to explain to the layperson, why this incident is worse, than all of the other shit they are doing.
The parent's remark was about US media. Hardly "some newspapers" to pay, and how does the EU come into play here?
Calling "Die Welt" a newspaper is the problem at hand. It should be labeled as yellow press, but yeah...
They have been doing this for years. The mobile outlook app has had microsoft servers check for mail on the user's behalf since forever.
> Cloud-first, in all the wrong ways. It's supposed to be a local app..
It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".
Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.
But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.
Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.
New Outlook, which forgot to notify me that I had a meeting coming up despite having notifications set for it.
In a corporate office environment, that’s one of its two jobs.
New Outlook also fails at its second job for me, it won’t fetch email unless it’s the active window.
1 reply →
pro-tip - just try to use an old version of outlook that's still functional like outlook 2010 and just set autoarchive to run pretty often so the ost doesn't get too big and make the thing crawl...
much better than nuOutlook
though often hard in most corporate environments...
that said, if I were in a more buttoned up IT environment, I'd just use the web client as it's sadly faster than the desktop client these days
I'd use the web client now except the version my company has is pretty bad and old still...
1 reply →
I might be out of touch with security nowadays, but could there be a reasonable explanation on Microsoft’s part here in that they wanted to try and help prevent the dime-a-dozen malicious attachment attacks that we’ve all heard about? Don’t get me wrong, I’m no stranger to Microsoft’s strategies— opt-out telemetry, Cortana, bing search in the system tray, etc. It’s not all fueled by just this one particular propriety that I brought up, I know it’s also got a lot to do with their way of pushing their products onto their users with annoying opt-out (at best) features that everyone might not want, that serve to push whatever it is they’re trying to sell to their users.
Point is, at least this specific gripe, for what it’s worth I can see some valid justification for. And if this is new behavior that they intend to stick with, I wouldn’t be surprised if they did improve it over time (although I also wouldn’t be surprised if it stayed as much of an annoyance as you described— bing search in windows remains an unchecked crime against humanity to this very day!)
Do not firewall them off. Serve different content and break functionality in a self-explanatory way (i.e. an email that tells what's wrong).
This is nothing user-facing. Microsoft will run that in the background, firewalling it off breaks it, so they'll have to act.
The emails are user facing. So if, say, the ISP were to detect Microsoft servers connecting and serve them back a mailbox with a single email in it instead of the user's real mailbox, then the user would open Outlook and see just a single message. Ideally non-threateningly titled "MICROSOFT HAS STOLEN YOUR PASSWORD" and containing clear instructions on how to switch back to direct IMAP.
1 reply →
i can't wait to have to answer an email-captch for every imap connection in the future, just because Microsoft decided to do an Apple.
Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).
New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.
Whoever made the decisions on this should rethink their career.
How else could Microsoft guarantee that they get to read your email like Google does?
> firewall azure ranges
This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.
This will generate tickets for you and you will direct them to use plain local IMAP clients instead.
This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.
Microsoft has been doing this for many years for mobile Outlook, so it seems to work well enough (unfortunately).
Curious why they are making the connection on your behalf. Could it have anything to do with LLM’s? Either way, if I were IT, I’d be livid.
It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.
Depends very much on the client. Samsung Email is atrocious, but Apple Mail works great (and I think they’re both local clients).
1 reply →
[flagged]
My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot
Limit Azure connections to 500 b/s. Make them wait and keep slowing moving connections active.
And you still having your users complaining to you not to Microsoft.
but at least MS is paying the bill too
Is MS sharing the list of IPs to firewall, somewhere?
> Cloud-first
Well, IMAP is already "cloud-first" by itself; so this is "cloud first and second", also known as MITM.
Sounds like a government-requested "feature".
You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).
It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.
[dead]
Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.
I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.
You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.
The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.
* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.
> As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone
Why would they? The users can do whatever the hell they want with their credentials
[dead]