Table of Contents
Storm in a Teacup as the New Outlook Appears
There’s a lot of fuss and bother about the new Outlook client (aka Monarch) caused by an article in a German website that begins with the assertion that “The new free Outlook … sends secret credentials to Microsoft.” Quelle surprise! It goes on to say “But beware: If you try the new Outlook, you risk transferring your IMAP and SMTP access data to mail accounts as well as all mails to Microsoft servers.” The author concludes that synchronization (which is what happens) of email and credentials “allows Microsoft to read the mails.”
I fear that the article falls firmly into the category of hysterical clickbait. However, its assertions will cause worry and concern for people who don’t fancy the idea of transferring information to the cloud where the cloud provider might possibly access their data. This hasn’t worried the hundreds of millions of people who use Gmail or the 400 million users of Office 365, but I can understand the concerns expressed by others.
Sending Plain Text Credentials
The author is very upset that Microsoft stores IMAP4 and SMTP credentials for user accounts (I’m pretty sure that this happens for POP3 too). Outlook sends these plain-text credentials over a TLS connection. I guess Microsoft could enforce some form of modern authentication with Monarch, but that requires the mail servers it connects with to support modern authentication, and that’s not going to happen for most IMAP4 and POP3 connections. So credentials must be plain text to allow Outlook to connect to the servers that host user accounts (Outlook does use OAuth2 to connect to Google accounts, and uses that access to synchronize data from those accounts).
Synchronization of User Data in Azure
The author is also upset that Microsoft synchronizes user email data to Azure. This is the same mechanism as Outlook mobile has used since Microsoft moved from the AWS-based infrastructure used by the original Acompli client (bought by Microsoft in 2014) to Azure in 2018. Data is held in special forms of mailboxes that cannot be accessed by normal email clients and it’s stored like this to make functions like search and the focused inbox work.
If Outlook did not synchronize email, contacts, and calendar items to Azure, the client would be limited to whatever features are supported by IMAP4, an obsolete email access protocol that only persists because the standards community has not developed a replacement. Moving copies of items to Azure allows background processes to make the data more like the information retrieved from a full-blown Exchange Online server. If you want, massaging the data makes it possible for Outlook to work with the data as if it came from Exchange.
The New Outlook is a Better Client
The mail client is part of Windows and has changed dramatically as Windows evolved. Few would want to go back to Outlook Express at this point. The latest change benefits users because they get more feature and a better client. Microsoft also gains through reduced engineering expenses by eliminating a client from its mix of mail clients. Comparing the old Windows mail client to Outlook is like comparing the default mail client on a smartphone to Outlook mobile. Both will do the basics of sending and receiving email, but Outlook mobile does much more besides.
It’s reasonable to be concerned about the storage of email data but people do have a choice. To get the additional functionality (see the list of features enabled by synchronization), they can use the new Outlook. On the other hand, if they fear that Microsoft might compromise their information (an infinitesimal and highly unlikely occurrence) they can use another client. This is called user choice.
Other Clients Available
The simple solution for those unhappy about the way the new Outlook works is to seek an alternative. Fortunately, many other free email clients are available, such as the well-respected Thunderbird IMAP4 client. The latest versions of the Thunderbird client support OAuth2 connections, including to Exchange Online, proving that not all IMAP4 connections depend on plain-text credentials.
The combination of server and client create a secure connection. Perhaps people should worry more if the server hosting their mailbox still uses basic authentication and clients send plain-text credentials to the server. In this situation, accounts are more likely to be compromised by attack techniques such as password sprays. I’d be a lot more worried about compromise of accounts on servers that use basic authentication than attackers gaining access to email data stored in Azure.
To me, this is a storm in a teacup. Once people think through how and why Microsoft synchronizes email data to make the new Outlook work better, I think they’ll be OK with the mechanism used. I’ve never worried about the processing of email data for mobile Outlook and I doubt that it’ll cause me any concern for Monarch.