Table of Contents
Storm in a Teacup as the New Outlook Appears
There’s a lot of fuss and bother about the new Outlook client (aka Monarch) caused by an article in a German website that begins with the assertion that “The new free Outlook … sends secret credentials to Microsoft.” Quelle surprise! It goes on to say “But beware: If you try the new Outlook, you risk transferring your IMAP and SMTP access data to mail accounts as well as all mails to Microsoft servers.” The author concludes that synchronization (which is what happens) of email and credentials “allows Microsoft to read the mails.”
I fear that the article falls firmly into the category of hysterical clickbait. However, its assertions will cause worry and concern for people who don’t fancy the idea of transferring information to the cloud where the cloud provider might possibly access their data. This hasn’t worried the hundreds of millions of people who use Gmail or the 400 million users of Office 365, but I can understand the concerns expressed by others.
Sending Plain Text Credentials
The author is very upset that Microsoft stores IMAP4 and SMTP credentials for user accounts (I’m pretty sure that this happens for POP3 too). Outlook sends these plain-text credentials over a TLS connection. I guess Microsoft could enforce some form of modern authentication with Monarch, but that requires the mail servers it connects with to support modern authentication, and that’s not going to happen for most IMAP4 and POP3 connections. So credentials must be plain text to allow Outlook to connect to the servers that host user accounts (Outlook does use OAuth2 to connect to Google accounts, and uses that access to synchronize data from those accounts).
Synchronization of User Data in Azure
The author is also upset that Microsoft synchronizes user email data to Azure. This is the same mechanism as Outlook mobile has used since Microsoft moved from the AWS-based infrastructure used by the original Acompli client (bought by Microsoft in 2014) to Azure in 2018. Data is held in special forms of mailboxes that cannot be accessed by normal email clients and it’s stored like this to make functions like search and the focused inbox work.
If Outlook did not synchronize email, contacts, and calendar items to Azure, the client would be limited to whatever features are supported by IMAP4, an obsolete email access protocol that only persists because the standards community has not developed a replacement. Moving copies of items to Azure allows background processes to make the data more like the information retrieved from a full-blown Exchange Online server. If you want, massaging the data makes it possible for Outlook to work with the data as if it came from Exchange.
The New Outlook is a Better Client
The mail client is part of Windows and has changed dramatically as Windows evolved. Few would want to go back to Outlook Express at this point. The latest change benefits users because they get more feature and a better client. Microsoft also gains through reduced engineering expenses by eliminating a client from its mix of mail clients. Comparing the old Windows mail client to Outlook is like comparing the default mail client on a smartphone to Outlook mobile. Both will do the basics of sending and receiving email, but Outlook mobile does much more besides.
It’s reasonable to be concerned about the storage of email data but people do have a choice. To get the additional functionality (see the list of features enabled by synchronization), they can use the new Outlook. On the other hand, if they fear that Microsoft might compromise their information (an infinitesimal and highly unlikely occurrence) they can use another client. This is called user choice.
Other Clients Available
The simple solution for those unhappy about the way the new Outlook works is to seek an alternative. Fortunately, many other free email clients are available, such as the well-respected Thunderbird IMAP4 client. The latest versions of the Thunderbird client support OAuth2 connections, including to Exchange Online, proving that not all IMAP4 connections depend on plain-text credentials.
The combination of server and client create a secure connection. Perhaps people should worry more if the server hosting their mailbox still uses basic authentication and clients send plain-text credentials to the server. In this situation, accounts are more likely to be compromised by attack techniques such as password sprays. I’d be a lot more worried about compromise of accounts on servers that use basic authentication than attackers gaining access to email data stored in Azure.
To me, this is a storm in a teacup. Once people think through how and why Microsoft synchronizes email data to make the new Outlook work better, I think they’ll be OK with the mechanism used. I’ve never worried about the processing of email data for mobile Outlook and I doubt that it’ll cause me any concern for Monarch.
Hi Tony,
thank you for this helpful article!
But here in Germany we see this a bit different:
Microsoft could have at least communicated that change better – as one cannot “expect” this change in behaviour for the new Outlook-client – so that he/she has at least a chance to perform an educated decision (for maybe one of the alternatives you mentioned)…
This doesn’t help Microsoft’s reputation and is just unnecessary.
(Heise / c’t has a quite good reputation here, although they’re sometimes very critical of Microsoft)
Microsoft communicated their intention of replacing the old Windows mail client with the new Outlook a long time ago. They did not say explicitly that the new Outlook would synchronize data to Azure, but that’s been happening since 2018 for other Outlook clients. People can choose whether to use the free client provided in Windows or another client that they find elsewhere. That’s perfectly reasonable, but creating a huge fuss that makes it out that Microsoft is copying data for some nefarious reason is hardly professional coverage of a technical issue. It’s a good example of highlighting a detail to make it out to be something that it absolutely isn’t, and that’s why I have a difficulty with the coverage.
Confusing use of terms that need clarifying. First and foremost: As I understand it there are differences between this “NEW OUTLOOK, and the Office365 outlook client (for lack of a better word OLDOUTLOOK that will continue. It this correct? My understanding is that this “new” client is the “free” replacement to windows mail. Need clarification here. Second, hard to believe corporations the are using OLDOUTLOOK would condone this type of “grabbing” of their proprietary data. Here I mean corporations, law firms, governments (big and small), health care, universities, etc.
“New Outlook” is the term Microsoft uses for the Monarch client. It’s also known as One Outlook. The client is available in versions built for commercial (Microsoft 365) and personal use. All of the fuss is about the personal version of the client because it is the one that includes ads and replaces the old Windows Mail and Calendar clients. The personal client is free and people essentially pay for its usage through ads. Commercial usage is paid through Microsoft 365/Office 365 licenses and doesn’t include ads. Both clients synchronize information to the Microsoft Azure datacenters so that the data can be processed to make features like the Focused Inbox work. Protocols like IMAP4 and POP3 don’t support advanced functionality, so the only way for a client to implement these features is to synchronize mailbox items from the host server to Azure, process them there, and then download from Azure.
The main reason for me not moving to the New Outlook yet, is that it has zero support for VBA Object Model interaction. There are tons of (Excel) VBA applications out there that automatically generate e-mails in Outlook, and with the New Outlook each of this applications stops working (without any meaningful error message too for that matter). Microsoft feedback is that they consider to include VBA support in future updates … which is giving no certainty at all …
I think Microsoft wants to get away from VBA, so that path might be problematic.