Warning From Mailbox.org: New Outlook sends passwords, mails and other data to Microsoft

bbbhltz · 10 November 2023 19:26

If you set up a new account in the software, Microsoft offers a supposed security function: It says that non-Microsoft accounts are synchronised with the Microsoft cloud and that copies of “emails, calendars and contacts are therefore synchronised between your email provider and Microsoft data centres”.

This is related to the How do your protect yourself online thread.

Do you use email clients or webmail?

For some reason I like using Claws on my desktop because I find it pretty straightforward, and I use and donate to FairEmail on my phone. On my desktop, I use the webmail for my (sigh) 6 work email addresses that are all, of course, Outlook.

gnome · 11 November 2023 00:42

Thank you for sharing this.

This is such a bizarre thing to do. The original article doesn’t explain why they’re doing this, which makes me curious.

Davmail can convert between EWS and IMAP for other email clients like Thunderbird. If you have the option to switch clients, Davmail is the way to go. Evolution if you’re on Linux. Unfortunately, that’s not always an option.

Edit: The mailbox.org article is missing significant context from the original article: Microsoft lays hands on login data: Beware of the new Outlook | heise online

This is for the new Outlook program, set to replace the old Outlook and Mail programs in 2024.
When creating an IMAP account, c’t was able to sniff the traffic between new Outlook and the Microsoft servers. It contained the target server, log-in name and password which were sent to those Servers of Microsoft. Although TLS-protected, the data is sent to Microsoft in plain text within the tunnel. Without informing or inquiring about this, Microsoft grants itself access to the IMAP and SMTP login data of users of the new Outlook.
Very importantly, the actual screen:

image477×549 88.3 KB

This is not optional. The only way to stop this is to use a different email client.

Edit 2: Though I do wonder if this applies to people who host their own Exchange servers. They use EWS, after all.

bbbhltz · 11 November 2023 07:53

The original article is far too short on technical details, but at least the first words are a link to the source.

I would hope there is some documentation somewhere about this. It would be an issue for schools and businesses, among other users.

mike · 15 November 2023 04:14

The new Outlook for Windows supports Outlook.com, Exchange Online, and Gmail. Support for Yahoo, iCloud, and IMAP will be added soon.

You might have private data in a non-Microsoft account and be concerned that it is copied to a Microsoft server.

Outlook.com and Exchange Online are both hosted by Microsoft. So any data there is already under the control of Microsoft. Microsoft complies with EU data regulations. So, data should stay within the EU for residents there.

Outlook for Windows does not support on-premises, hybrid, or sovereign Exchange accounts. So, there is technically no way to mistakenly transfer corporate data to Microsoft with the current version of Outlook for Windows.

If you are worried about Microsoft viewing your data, I assume that concern also applies to Google, Yahoo, and Apple. So, I will ignore those options.

That leaves IMAP.

It sounds like if you have an Outlook.com account and add an IMAP account to Outlook for Windows then a Microsoft server will connect to that IMAP server and authenticate as you: synchronizing your messages, contacts, and calendar items to Microsoft’s servers.

On a personal level, if you don’t want to transfer your data to Microsoft then don’t use Outlook for Windows. Windows Mail will be available until the end of 2024. Or, switch to one of the many alternative IMAP clients available.

At work, administrators have the option to prevent their Exchange Online accounts from being added to the new Outlook for Windows. Separately, administrators can also hide the option to switch to the new app.

The overarching reason for synchronizing this data to Microsoft is to apply the new Outlook features to all the accounts and not just Microsoft ones. There is probably machine learning or something else going on where they need messages on the server. So, that was their solution. Outlook for Windows is basically a progressive web app.

Note: This issue was first reported in July:

For third-party services that Outlook for Windows does support, like Gmail, the Outlook app will sync a copy of your email, calendar, and contacts with Microsoft’s servers rather than communicating directly with Google’s servers and storing files locally as a traditional mail client would.

Outlook for Windows app replaces Mail and Calendar in new Windows 11 preview | Ars Technica

gnome · 15 November 2023 04:51

Cheers for the very detailed info, Mike! It must have taken quite a bit of work.

Hold up, what now? The new Outlook doesn’t support self-managed Exchange servers, lol? Really? They’re not keeping the old client around for much longer so—what do they want businesses with their own exchange servers to use instead? Are they killing their Exchange product and migrating entirely to only offering it as a service? That was my first thought, anyway.

One of your links says:

Support for Exchange on-prem: Investigating

So…it seems like they haven’t figured that one out yet…? This is the only mention of it I could find at all officially.

Yes, it seems so. One of your links mentions it “shares codebase with Outlook on the web”. They do say they will “absolutely have offline support” so it’s not completely dumb, but…

Man, this whole thing seems lazy. I mean, look at this: New Outlook for Windows now available - Page 2 - Microsoft Community Hub

Someone has compiled a long list of missing features in the new client compared to the old one, which is so long I have to collapse it:

Features removed (in no particular order):

* Customize ribbon

```
Ribbon cannot be hidden
```

Preview 1, 2, or 3 lines of message body in message list

```
Choose columns to show in message list
```

Separation of categories from subject in message list

```
Shared categories cannot have color
```
```
Cannot "view source" of HTML emails
```
```
Status bar
```

    Item count, server connectivity status, zoom level, etc.

```
Rearranging folders in folder tree
```
```
Cannot set folder to show item count
```
```
Outlook forms
```
```
Notes view
```
```
Folders view
```

Folder pane cannot be "minimized" to show folders sideways

```
"Share to Teams"
```
```
"Send to OneNote"
```

Find/replace within message when composing email (Ctrl+F)

Outlook Today (although may be replaced with "My Day" or “Board”)

```
PST file support
```
```
Translate
```
```
Search ribbon
```
```
Advanced Search (Ctrl+Shift+F)
```
```
Search Folders
```

    "Unread Mail" in favorites is an example

Cannot right-click and “Add to favorites” for shared mailboxes

Reply with IM (opens Teams chat with sender)

```
Copy email attachments
```
```
Sort/Filter options greatly reduced
```
```
Rules are far less capable
```

    Can see, but not access/use better rules from old Outlook

    Rule to move message to another mailbox

OneDrive link does not honor policies and be hidden

“To Do” opens in browser instead of within Outlook

```
No contacts from shared mailboxes
```

No print options in Mail view. Must open each message and print one at a time

```
No print options in Contacts view
```
```
"Clean up" mailbox
```
```
Send/Receive/Sync Now
```
```
Creating email signatures via script
```
```
Recall email
```
```
Resend email
```
```
Work offline
```

Quick Access Toolbar and Previous/Next email buttons when viewing a message

Public folders must be manually added to favorites to see them

```
Accessibility is basically gone
```

Using Outlook without mouse/touch is not possible

To Do bar (although may be replaced with "My Day" or “Board”)

View Settings is extremely gutted. (old Outlook is insanely powerful here)

```
Rich text format for composing email
```

Voting options (replaced with browser-based MS forms)

Does not use Word as email message editor, so these features are gone when composing email:

    Styles, smart tables, thesaurus, find & replace, paragraph formatting, advanced character formatting, page color, effects, themes, smart art, word art, OLE objects, etc.

    Set bullet type/style in bulleted list

```
    Quick Parts
```
```
    Right-click
```

Does not use Word as description editor for calendar event entries. So, above features are gone here too

```
Email composer does not support:
```
```
    Message expiration
```

    Hanging indents or tab customization

```
    Reply-to alternate email address
```

    Digitally signing or encrypting emails

```
Auto pick time for creating meetings
```

High importance & low importance tags for calendar events

```
Dictation
```

No way to open address book within "Create calendar event"

Looking at Settings/Options reveals dozens (hundreds?) of missing options when compared to old Outlook

```
Alt-R and Alt-W hotkeys
```
```
Not having Word as email editor:
```

    Cannot put border or shading around inserted images

    Can only select from a subset of Windows fonts

Does not migrate quick steps from old Outlook even though they are stored on the server.

```
Cannot open .EML or .ICS files
```
```
COM and VTSO add-ins
```

MAPI is gone. No more "Print PDF to email", or other apps using email workflow

    Can't "share as attachment" from the other Office apps.

    Mail merge using Word and Excel may not work

```
Message Templates
```

Unable to sort by name, then type in the name to go to that grouping.

```
Custom follow-up reminders for email
```
```
"Next 7 Days" Calendar view
```
```
Tasks view
```

Can't delete attachments from emails and still keep the email

Can't save an attachment where you want, it goes to downloads

Cannot setup multiple languages for spell checking within a message.

Read Aloud (text-to-speech) is only available within Immersive Reader instead of right-clicking

```
Right-click on message -> Find Related
```
```
Auto correct shortcuts are gone
```
```
Sort messages by category
```

Does not work with on-prem Exchange Server

Lots of missing Enterprise controls, such as using Group Policy to prevent users from adding their personal accounts.

Cannot drag-n-drop emails into other Office apps

```
Quick Steps cannot create new email
```

Cannot import Holidays into Calendar (.hol files)

```
Cannot minimize to system tray
```
```
Can't view headers of attached emails
```

Gray theme missing, only white and dark available

```
Cannot change icons of quick steps
```

It’s so poorly thought-out that delaying the rollout seems inevitable.

bbbhltz · 15 November 2023 06:26

I feel like this would be challenging for some. I also think there is an opportunity here for unethical types to slap together or fork an email client, brand it as privacy friendly as opposed to Outlook which steals your emails, and then charge a small fee.

I personally dislike the Outlook desktop software so never used it.

That list is very impressive. Remember n-gate.com? This is MS at war with their own users.

mike · 15 November 2023 17:33

It is true that Outlook for Windows does not currently support on-premises Exchange. But, I think that makes sense because the new Outlook is still being developed, and Microsoft wants to focus on their latest product and biggest customers.

In terms of on-premises Exchange, Windows shops can continue to use Classic Outlook or Outlook for the Web. I assume OWA will be supported for as long as the underlying Exchange servers are supported.

One of the advantages to a progressive web app is that Microsoft can release features within days. That is one of the points made in a recent Microsoft video. For example, gnome’s list of missing features is out-of-date. There is actually a slide dedicated to a customizable ribbon:

Update on the new Outlook for Windows | YouTube

Finally, coming from the support side, I find these discussions stressful. Many times I’ve had to work ten times harder than necessary because the users below me and managers above me had either imprecise or unrealistic expectations. I think the right attitude is that software changes. And we should have a plan to remove software before we ever install it. For example, map out business processes, plan how to cost-effectively extract your data, and test these plans regularly. This will give the business the proper mindset and the best options whenever the next predicament occurs.

gnome · 16 November 2023 04:46

I have a few thoughts:

It’s good that Microsoft is focusing on moving their programs to the web. Adobe is doing similar. This will mean that the programs are accessible with the same functionality regardless of operating system.
The old outlook client has been deprecated and will stop being supported/available for download at the end of 2024, which is not much time. I have my doubts that it will support Exchange instances then if it doesn’t now. I had completely forgotten about OWA, however, which should continue to work fine into the future. Outlook for the Web seems to require handing all your mail/calendars/etc. over to Microsoft, which is one of the primary reasons why you would want your own Exchange instance—so Microsoft doesn’t have access to your confidential data.
The list was posted by someone else; I don’t actually use Outlook myself, although some people I work with do. Some of those features mentioned are certainly there now, like offline functionality. I use Davmail + Thunderbird generally.
Email is a hard thing to decouple from a business. These days, it’s also calendaring, reminders, and whatever else Exchange manages too. It’s at least better than Gmail because you have your own domain, but there are an awful lot of things to depend on. But it’s something you kind of expect…not to change? I mean, it’s email. We figured this stuff out more than 20 years ago. No need to start adding emoji reactions in now. What was that old quote?

Microsoft. Microsoft never changes.

I would never want to be responsible for managing an Exchange server

we should have a plan to remove software before we ever install it.

I agree this is a good idea.