Shock and Horror About How the New Outlook Synchronizes User Data

Storm in a Teacup as the New Outlook Appears

There’s a lot of fuss and bother about the new Outlook client (aka Monarch) caused by an article in a German website that begins with the assertion that “The new free Outlook … sends secret credentials to Microsoft.” Quelle surprise! It goes on to say “But beware: If you try the new Outlook, you risk transferring your IMAP and SMTP access data to mail accounts as well as all mails to Microsoft servers.” The author concludes that synchronization (which is what happens) of email and credentials “allows Microsoft to read the mails.”

The new Outlook causes some concern
Figure 1: The new Outlook causes some concern

I fear that the article falls firmly into the category of hysterical clickbait. However, its assertions will cause worry and concern for people who don’t fancy the idea of transferring information to the cloud where the cloud provider might possibly access their data. This hasn’t worried the hundreds of millions of people who use Gmail or the 400 million users of Office 365, but I can understand the concerns expressed by others.

Sending Plain Text Credentials

The author is very upset that Microsoft stores IMAP4 and SMTP credentials for user accounts (I’m pretty sure that this happens for POP3 too). Outlook sends these plain-text credentials over a TLS connection. I guess Microsoft could enforce some form of modern authentication with Monarch, but that requires the mail servers it connects with to support modern authentication, and that’s not going to happen for most IMAP4 and POP3 connections. So credentials must be plain text to allow Outlook to connect to the servers that host user accounts (Outlook does use OAuth2 to connect to Google accounts, and uses that access to synchronize data from those accounts).

Synchronization of User Data in Azure

The author is also upset that Microsoft synchronizes user email data to Azure. This is the same mechanism as Outlook mobile has used since Microsoft moved from the AWS-based infrastructure used by the original Acompli client (bought by Microsoft in 2014) to Azure in 2018. Data is held in special forms of mailboxes that cannot be accessed by normal email clients and it’s stored like this to make functions like search and the focused inbox work.

If Outlook did not synchronize email, contacts, and calendar items to Azure, the client would be limited to whatever features are supported by IMAP4, an obsolete email access protocol that only persists because the standards community has not developed a replacement. Moving copies of items to Azure allows background processes to make the data more like the information retrieved from a full-blown Exchange Online server. If you want, massaging the data makes it possible for Outlook to work with the data as if it came from Exchange.

The New Outlook is a Better Client

The mail client is part of Windows and has changed dramatically as Windows evolved. Few would want to go back to Outlook Express at this point. The latest change benefits users because they get more feature and a better client. Microsoft also gains through reduced engineering expenses by eliminating a client from its mix of mail clients. Comparing the old Windows mail client to Outlook is like comparing the default mail client on a smartphone to Outlook mobile. Both will do the basics of sending and receiving email, but Outlook mobile does much more besides.

It’s reasonable to be concerned about the storage of email data but people do have a choice. To get the additional functionality (see the list of features enabled by synchronization), they can use the new Outlook. On the other hand, if they fear that Microsoft might compromise their information (an infinitesimal and highly unlikely occurrence) they can use another client. This is called user choice.

Other Clients Available

The simple solution for those unhappy about the way the new Outlook works is to seek an alternative. Fortunately, many other free email clients are available, such as the well-respected Thunderbird IMAP4 client. The latest versions of the Thunderbird client support OAuth2 connections, including to Exchange Online, proving that not all IMAP4 connections depend on plain-text credentials.

The combination of server and client create a secure connection. Perhaps people should worry more if the server hosting their mailbox still uses basic authentication and clients send plain-text credentials to the server. In this situation, accounts are more likely to be compromised by attack techniques such as password sprays. I’d be a lot more worried about compromise of accounts on servers that use basic authentication than attackers gaining access to email data stored in Azure.

To me, this is a storm in a teacup. Once people think through how and why Microsoft synchronizes email data to make the new Outlook work better, I think they’ll be OK with the mechanism used. I’ve never worried about the processing of email data for mobile Outlook and I doubt that it’ll cause me any concern for Monarch.

2 Replies to “Shock and Horror About How the New Outlook Synchronizes User Data”

  1. Hi Tony,

    thank you for this helpful article!
    But here in Germany we see this a bit different:
    Microsoft could have at least communicated that change better – as one cannot “expect” this change in behaviour for the new Outlook-client – so that he/she has at least a chance to perform an educated decision (for maybe one of the alternatives you mentioned)…
    This doesn’t help Microsoft’s reputation and is just unnecessary.

    (Heise / c’t has a quite good reputation here, although they’re sometimes very critical of Microsoft)

    1. Microsoft communicated their intention of replacing the old Windows mail client with the new Outlook a long time ago. They did not say explicitly that the new Outlook would synchronize data to Azure, but that’s been happening since 2018 for other Outlook clients. People can choose whether to use the free client provided in Windows or another client that they find elsewhere. That’s perfectly reasonable, but creating a huge fuss that makes it out that Microsoft is copying data for some nefarious reason is hardly professional coverage of a technical issue. It’s a good example of highlighting a detail to make it out to be something that it absolutely isn’t, and that’s why I have a difficulty with the coverage.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.