New Outlook from Microsoft apparently passes on access data

November 17, 2023, 11:48 a.m. |
Reading time: 4 minutes

After the Windows 11 update there is the new version of Outlook. The mail client was also sometimes recommended to Windows users. But now it is said that all data is delivered to Microsoft servers.

Outlook probably sends sensitive data to Microsoft

Not every innovation has to be positive. This could apply to the new Outlook version. In a report by Heise Online it means that Outlook would not only send emails, but also various access data to Microsoft. Accordingly, IMAP and SMTP data also end up with the company.

IMAP stands for “Internet Message Access Protocol” and ensures access to emails. It also synchronizes emails between server and mail program. SMTP stands for “Simple Mail Transfer Protocol” and is used to send email. When switching to the new Outlook, the IMAP and SMTP access data should be transmitted to Microsoft. TECHBOOK tested this and added a GMX email address (IMAP account) to Outlook – i.e. an email address that does not belong to Microsoft. Then there was a note:

Accordingly, contacts and events from the IMAP account (here GMX) are not synchronized with Microsoft, but emails are. Even in one Support report Microsoft says that Gmail, Yahoo, iCloud and IMAP accounts will be connected to Microsoft in Outlook. Heise Online also found that when the account was created, the target server, login name and password were transmitted to Microsoft servers via a TLS tunnel in plain text, i.e. visible.

Federal authorities get involved

After the incident, even the federal authority, more precisely the Federal Commissioner for Data Protection and Freedom of Information (BfDI), got involved via Mastodon and wrote on the official one Mastodon server from the BfDI “social.bund.de” the following: “The reports about suspected data collection by MS via Outlook are alarming. “We will be asking the Irish data protection supervisors who are legally responsible for a report at the meeting of the European data protection supervisory authorities on Tuesday.”

Users give bad reviews

In the Microsoft Store, the new Outlook is touted as a “first-class email experience.” But if you look at the reviews of the new Outlook, it quickly becomes clear that users are not particularly satisfied. Users only gave it 2.9 out of 5 stars. It should also be mentioned that the new application only has over 600 reviews. However, it is a bad sign in advance if the reviews are bad at the start of the new Outlook.

This is what Microsoft says about the allegations

TECHBOOK contacted Microsoft and asked for a statement. When asked why Microsoft collects data in the new Outlook, the company replied: “The purpose is to provide a consistent experience for all accounts added in Outlook. The IMAP configuration details are used to synchronize emails between the IMAP server and the Microsoft supported mailbox, and the SMTP configuration details are used for sending emails from the client to the server.”

TECHBOOK also wanted to know whether Microsoft will have full access to all emails in the future and can then read and evaluate them. The company says: “The token is stored in the user’s mailbox and is encrypted. Only the users themselves and the Microsoft services that interact with the mailbox to retrieve the data have access to this token. This means that Microsoft does not have access to the plain text password.”

The last answer is quite surprising, however, since the text from Heise Online (already mentioned above) showed, among other things, passwords in plain text. It is also said that there are technical reasons for Microsoft’s approach, but this is not understandable for users.