[Enderboi]

As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.

Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actually making the connection.

Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!

Cloud-first, in all the wrong ways. It's supposed to be a local app..

[Fischgericht]

Spot on.

I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?

This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...

[Enderboi]

We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P

Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology" actually means "This is no longer really a local IMAP client".

[hulitu]

> I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?

If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.

[yorwba]

The big logistical problem is: How do you select which newspapers to pay?

All of them? Now you've announced that you've got something to hide and are trying to to pay off newspapers to hide it. One of them is going to decide that this story is too juicy not to publish.

Only those that find out some other way and ask for comment? Well, in this case Microsoft didn't reply to c't Magazin's request for comment before publication...

[hanselot]

Just one or two probably. One right and one left wing publication.

One side writes a piece, something like: "How the new Outlook saved my {insert protected class}", another one on the other side something like "New Microsoft Outlook uses your mail credentials to steal your DNA via nanosites because Bill Gates wants access to your children."

And then the rest of the media pick it up from there, spin it in their respective direction, receiving their generous donations from one of the numerous MS foundations that funnel money into these places, based on how damaging their puff pieces were.

Now nobody cares about the problem anymore because they are too busy fighting each other.

[BobaFloutist]

"How the new Outlook saved my LGBT" "How the new Outlook saved my Woman" (Hey, this actually parses! Though not in the intended way...) "How the new Outlook saved my African American" (ok, this is getting troubling) "How the new Outlook saved my Christianity" (The first article I'd actually read) "How the new Outlook saved my Age" (big scope!) "How the new Outlook saved my Ex Serviceman" "How the new Outlook saved my Disability"

[close04]

MS (and other enterprise big tech) gets laws in their favor in the EU because the EU has no solid alternative to MS. There is no EU based big cloud provider with similar capabilities, software ecosystem, integration, nobody offering a comparable office suite, familiar operating system with legacy compatibility, collaboration platform, etc.

Even when you have solid competitors for individual components, the whole package is hard to resist. So they're stuck with MS for the moment, and slowly get absorbed in that ecosystem making it even more entrenched. But MS doesn't need to pay to get the law, they just have to let EU companies try out alternatives until they go back to being slowly boiled with MS. The EU is looking for excuses to excuse MS because everyone decided the price we all know now is worth paying to get access to a full ecosystem that fills all other needs.

Effectively the EU is "paying" MS to stay, not the other way around.

[neycoda]

Um, Google Business and Google Workspace isn't in the EU? They're great alternatives to Microsoft cloud in the US.

[close04]

As I said at the beginning, this applies to most other enterprise big tech companies from the US. MS in particular has a hook others don't: most companies right now are still solidly tied to Windows, Office, AD/Entra. This is the slope that easily leads to the whole M365 environment. It's hard even for Google to compete with this. And it's impossible for the almost non-existing EU offering in this space to compete. There are lots of individual services that could compete 1:1 with the equivalents from MS or Google but nothing that can compete with the full ecosystems and vertical integration they provide.

Even so, a law that benefits MS will also benefit Google under these circumstances. Any law that locks out MS or Google (like GDPR which constantly sees "exceptions" carved out) will have some severe economic repercussions on EU companies, not to speak of the political/diplomatic ones with the US.

[c4mpute]

It is even worse.

MS doesn't need to do anything. They don't need to pay anyone off. EU bureaucracy is extremely strongly wedded to MS products like Windows, Office, Teams, Outlook etc. As are all EU national bureaucracies and public institutions.

There are firm opinions by e.g. the BSI (German IT security office, comparable to something between NSA, mostly NIST, DHS and ANSI) and other equivalent European national offices that it is practically impossible to operate modern MS products securely. E.g. there are guidelines from BSI like "we know that in that exact version (which is years old, because the guideline took ages to write) you need to set the following registry keys to prevent data exfiltration. Btw. this won't help you, because you also HAVE to upgrade within a few weeks of each available update". There are firm opinions by multiple European data protection offices that basically say the same about GDPR compliance in MS products. Practically impossible to achieve, there might have been that one configuration, "Once upon a time of writing the report, with that specific version of Windows and Office, when firewalling off half of azure, setting those 300 registry keys, manually deleting the following files, illegal telemetry could no longer be observed. Also, you are obliged by GDPR to follow good practice and update regularly, so good luck with that...".

Basically it is illegal to process any personal data using MS products in the EU if the processing system has any kind of outgoing internet connection. All the bureaucracies ignore this systematically, citing the "impossibility" of working without said MS products. Migration plans away from those illegal processes are regularly cancelled, ignored or never completed. MS is free to do whatever it wants, they are never really investigated, fined or held to any laws.

Meanwhile, other big IT firms like Meta, Google, Twitter/X and lots of others are held to far higher standards. Where tons of your local government's data about you like tax report, criminal records, school records and similar things are subject to being exported to the US via Azure, MS telemetry and what not. With FAANG there is complaining about comparably laughable stuff like "well, that IP address that Google Fonts could observe...".

The problem, why this doesn't change, is that the local government institution is responsible for their data processing (according to GDPR and other laws), MS being only their contractor. And those government institutions are usually (in almost all EU states) free from GDPR and other penalties, and those penalties would be left-pocket-to-right-pocket anyways.

This is why MS gets a free pass on everything. Imho this must end.

[neycoda]

So the "bug" is a convenient spy program for the US government.

[hutzlibu]

Why even pay newspapers, when most do not understand the problem anyway, so do not want to read about it?

Microsoft is already taking so much data, I would have trouble to explain to the layperson, why this incident is worse, than all of the other shit they are doing.

[generic92034]

The parent's remark was about US media. Hardly "some newspapers" to pay, and how does the EU come into play here?

[martin_a]

Calling "Die Welt" a newspaper is the problem at hand. It should be labeled as yellow press, but yeah...

[vasdae]

They have been doing this for years. The mobile outlook app has had microsoft servers check for mail on the user's behalf since forever.

[vladvasiliu]

> Cloud-first, in all the wrong ways. It's supposed to be a local app..

It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".

Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.

But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.

Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.

[mattgreenrocks]

New Outlook, which forgot to notify me that I had a meeting coming up despite having notifications set for it.

In a corporate office environment, that’s one of its two jobs.

[PascLeRasc]

New Outlook also fails at its second job for me, it won’t fetch email unless it’s the active window.

[vladvasiliu]

I wonder if this related to the Edge feature of "freezing" tabs, since New Outlook is clearly an Electron-like contraption, but I think they're supposed to use the Edge Web Views instead of shipping their own electron runtime.

At least it doesn't crash. At one point, it used to just die on me. They've also fixed the window decorations and ramdom icons in the left toolbar, which used to become weird on mouse over.

There's also something else odd going on with the app. When I start it from the start menu, there's a very long lag between my pushing enter and the start menu going away. This happens every time I start outlook after a fresh boot, but doesn't happen with other shitty apps, like New Teams. For those, it disappears right away, even though the app doesn't start up instantly. It doesn't matter the order in which I start them, nor if I only start Outlook after the machine has been running for a while.

[emeril]

pro-tip - just try to use an old version of outlook that's still functional like outlook 2010 and just set autoarchive to run pretty often so the ost doesn't get too big and make the thing crawl...

much better than nuOutlook

though often hard in most corporate environments...

that said, if I were in a more buttoned up IT environment, I'd just use the web client as it's sadly faster than the desktop client these days

I'd use the web client now except the version my company has is pretty bad and old still...

[vladvasiliu]

> that said, if I were in a more buttoned up IT environment, I'd just use the web client as it's sadly faster than the desktop client these days

I'm not in a "buttoned up IT environment", but I still prefer the web client. It actually works great on Firefox on Linux and is way snappier than local outlook ever felt.

[jknutson]

I might be out of touch with security nowadays, but could there be a reasonable explanation on Microsoft’s part here in that they wanted to try and help prevent the dime-a-dozen malicious attachment attacks that we’ve all heard about? Don’t get me wrong, I’m no stranger to Microsoft’s strategies— opt-out telemetry, Cortana, bing search in the system tray, etc. It’s not all fueled by just this one particular propriety that I brought up, I know it’s also got a lot to do with their way of pushing their products onto their users with annoying opt-out (at best) features that everyone might not want, that serve to push whatever it is they’re trying to sell to their users.

Point is, at least this specific gripe, for what it’s worth I can see some valid justification for. And if this is new behavior that they intend to stick with, I wouldn’t be surprised if they did improve it over time (although I also wouldn’t be surprised if it stayed as much of an annoyance as you described— bing search in windows remains an unchecked crime against humanity to this very day!)

[patrakov]

Do not firewall them off. Serve different content and break functionality in a self-explanatory way (i.e. an email that tells what's wrong).

[martin_a]

This is nothing user-facing. Microsoft will run that in the background, firewalling it off breaks it, so they'll have to act.

[__david__]

The emails are user facing. So if, say, the ISP were to detect Microsoft servers connecting and serve them back a mailbox with a single email in it instead of the user's real mailbox, then the user would open Outlook and see just a single message. Ideally non-threateningly titled "MICROSOFT HAS STOLEN YOUR PASSWORD" and containing clear instructions on how to switch back to direct IMAP.

[averageRoyalty]

That's a great idea and would be extremely easy to roll out. I hope people start doing that!

[fyokdrigd]

i can't wait to have to answer an email-captch for every imap connection in the future, just because Microsoft decided to do an Apple.

[HeavyStorm]

Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).

New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.

Whoever made the decisions on this should rethink their career.

[slowmovintarget]

How else could Microsoft guarantee that they get to read your email like Google does?

[junaru]

> firewall azure ranges

This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.

This will generate tickets for you and you will direct them to use plain local IMAP clients instead.

This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.

[layer8]

Microsoft has been doing this for many years for mobile Outlook, so it seems to work well enough (unfortunately).

[reactordev]

Curious why they are making the connection on your behalf. Could it have anything to do with LLM’s? Either way, if I were IT, I’d be livid.

[hedgehog]

It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.

[Tijdreiziger]

Depends very much on the client. Samsung Email is atrocious, but Apple Mail works great (and I think they’re both local clients).

[hedgehog]

Client authors try but there are still IMAP protocol design choices that cause issues with sync reliability, bandwidth usage, lack of push, etc. You can read the JMAP design rationale for details, they cover it all pretty well. Security issues with middle boxes are well known too, just ask anyone who's worked in IT security how they feel about BlackBerry Enterprise Server. I think it's possible to build something similar in a better way by isolating the middle box bit and putting it in a more controlled environment like AWS Nitro where the client gets boot attestation and the service provider sees only a black box they can bill for, but this would require getting Apple etc on board to modify their clients.

[93po]

My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot

[agilob]

Limit Azure connections to 500 b/s. Make them wait and keep slowing moving connections active.

[PinguTS]

And you still having your users complaining to you not to Microsoft.

[agilob]

but at least MS is paying the bill too

[ale42]

Is MS sharing the list of IPs to firewall, somewhere?

[Elucalidavah]

> Cloud-first

Well, IMAP is already "cloud-first" by itself; so this is "cloud first and second", also known as MITM.

[neycoda]

Sounds like a government-requested "feature".

[jeroenhd]

You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).

It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.

[blackoil]

Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.

I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.

[mnw21cam]

You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.

[dtech]

The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.

* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.

[bogantech]

> As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone

Why would they? The users can do whatever the hell they want with their credentials