x0rz
Niels K.heise.de wrote about it more than half a year ago:
PointlessOne 
@nielsk In absolutely unrelated news: Microsoft informs customers that Russian hackers spied on emails.
Pavle@nielsk I noped out of there as soon as I saw the notification that they would be syncing my data to their ~cloud~
I didn't even realize it included passwords too. That's even worse than I thought.
Christian Huitema@nielsk That's not exactly new. Outlook started uploading mailboxes to their cloud service for POP3 and IMAP4 accounts 8 or 9 years ago. About the time when I stopped using it. Thank you for reminding people about it!
europlus 
@nielsk my understanding from when this first blew up was that MS stores your mail on their servers after picking it up from your mail server. What a nightmare.
Martin ███████@nielsk So would it make sense to block MS on submission and IMAP ports? What legitimate business could they have?
@unixtippse If your users use the new Outlook which will replace Windows Mail you can’t block them.
@nielsk You haven't tested whether it falls back to direct communication, though, have you?
@unixtippse No, I didn’t. I just had a support team member telling me that Outlook didn’t work and if we can make it work (it worked for him after a reboot) and that’s why I did what I did.
J$@nielsk @unixtippse yes you can. And should.
@js @unixtippse Well, I operate a mail-platform for external users. I can’t do that because the support-team will kill me.
@nielsk @unixtippse Well, I’d say its not up to you to break your spine to create workarounds for broken-by-design end user software. They have plenty of working clients to choose from.
EndlessMason
Wolf480pl@nielsk @unixtippse I think from a security point of view, it's better when it doesn't work. More than that, every time your server sees a user successfully log in from a Microsoft IP, it should reset (or disable) that user's password, since you have to assume it's compromised.
railmeatIt sounds like they proxy all the connections so all the mail passes through their servers. I wonder how long they keep it? I guess everyone’s emails become grist for AI.
I wonder what their terms of service say about that?
@railmeat @unixtippse I dunno. But it is more less the same what they do with the mobile Outlook-clients
I guess that is the world we live in now. Not really my preference.
Yet another reason to move my computing to self hosted and possibly Linux.
Mr Cool@railmeat @nielsk @unixtippse If we don't stop companies from implementing toxic business culture, it will get worse. Someday we will live in a world we don't really want to live in. We will no longer own anything, not even our data.
Too many people don't care and even defend these companies.
Too many people don't care and even defend these companies.
Tom@mrcool @railmeat @nielsk @unixtippse
Agreed, except for the word 'someday'.
It will get worse for sure, but that's already the world we live in.
@Tom @railmeat @nielsk @unixtippse You are right. Even I can see how I'm slowly getting used to it. And that's how it will continue. Small steps, so that people don't realize that their rights and their data are gradually being taken away from them.
Menel 
XToo late! We already gave up our entire life to them.
Sadly, this is true.
Angela Scholder@mrcool @railmeat @nielsk @unixtippse With M$, Google, Meta, AWS basically in charge of at least a large part of the Internet we can quietly already wonder how far we are on our way to a World like that.
And too many companies, and especially governments, are still quietly moving our personal data into the hands of these companies.
Certainly anyone working in an administrative position in government can work perfectly with a Linux based computer, but all they want is Windows.....
Chewie@railmeat if you have time, bandwidth and money, I would highly recommend self-hosting, I've learnt loads by doing it!
seism0saurusIt's documented, that they store the credentials to the Mailservers in cleartext on their servers and fetch the Mails there. It's a shitty design.
@seism0saurus @unixtippse @nielsk
Credentials in plain text? I thought we got past that in the’90s.
Where is that documented?
Otherwise they can't access your Mailservers.
I'm not sure if the data at rest is unencrypted but at least it is reversible since they need it for login to your mailservers.
It is definitely not a standard like bcrypt or scrypt there the credentials are secured by a one way function
Cassandrich
Asta McCarthy@AstaMcCarthy @railmeat @unixtippse @nielsk By the letter of the law, yes, but norms have gone to hell and nobody will prosecute.
It would be great if someone prosecuted them.
I would guess users agree to it in the terms of service. But who knows, no one has time to read that.
bananas_pizza@unixtippse @nielsk why not stop using it altogether instead of going all out sadomaso just to use their crappy software?
@unixtippse @nielsk No legitimate interests at all, but I guess they use the data to feed their AI crap..
Nicole ParsonsYou mean the same servers that were hacked by Russia and Microsoft told no one for a year? Those servers?
https://www.reuters.com/technology/cybersecurity/microsoft-tells-clients-russian-hackers-viewed-emails-bloomberg-news-reports-2024-06-27/
https://www.wired.com/story/russia-hackers-microsoft-source-code/
https://www.washingtonpost.com/technology/2024/03/08/microsoft-hack-email-russia/
/sarcasm
Dźwiedziu@nielsk That is one of the grave faults of Outlook. One other critical one I've found is that people are still using it⸮
Ayo 
@nielsk If I remember correctly I saw a setting before asking if I want to sync third-party mail to their cloud… maybe they turned that ON by default
Gulli@nielsk i've seen this behavior in Outlook 2019 as well. With some new accounts (don't know what triggers this behavior) every traffic for external imap accounts goes through Microsoft. IT was luck to see that, as some clients couldnt establish a connection and others could. Completely random.
Scott Knowles@nielsk Century Link requires ISP users to use their outgoing e-mail server so they can monitor your traffic and content. They allow other incoming e-email servers. AT&T is worse. They limit what domain names users can send or receive through their e-mail servers. I can't send or receive e-mail rom my own domain name and Website host. I have to wait for when wifi is available.
Jernej Simončič �@jernej__s @nielsk Thanks. Century Link monitors users' volume, domain names and content on all ports. Twice I've had my account locked because of another user sent spam with my e-mail address. It took a week to get them to check and correct things, and unlock my account. Except for cable there are no options for companies since they have monopoly as telephone service provider.
Шуро@nielsk Same for Outlook for Android.
Extreme Electronics@nielsk Yep, spy-ware, and great fun when you only have locally accessible mail servers.
Winter TrabexMy rule of thumb is: if it's Microsoft, don't use it.
Take It EV Podcast 🎙️@nielsk @[email protected] google and microsoft. Nothing good comes out of them .
When it comes to security, microsoft is just a joke atm
When it comes to security, microsoft is just a joke atm
George Liquor, American@nielsk Classic MITM attack (Microsoft In The Middle)
lorax@nielsk
I would personally advise not to use Windows and other Microsoft Products at all if you can.
I would personally advise not to use Windows and other Microsoft Products at all if you can.
ducksauz 🦆@nielsk Outlook Mobile has been doing this for at least half a decade now. It's why we banned it at $BigTechCompany where I used to work.
ianto@nielsk this can be extended to don't use outlook (any), and don't use windows 11. I appreciate many folks have no choice.
I'm not some militants anti MS nutter though: Word v6 through to office XP was excellent, and i still like windows 10 when I have to run things that aren't available in other environments.
This redirecting your mail traffic is just nasty though, means your server creds have been exported (along with all your email, obvs).
I'm not some militants anti MS nutter though: Word v6 through to office XP was excellent, and i still like windows 10 when I have to run things that aren't available in other environments.
This redirecting your mail traffic is just nasty though, means your server creds have been exported (along with all your email, obvs).
A Hotdog@nielsk @pluralistic holy shit that is monstrous.
24😷-185@nielsk Not being able to open .PST files is a sufficient reason to not use it.
walso it barely works as an email client and is missing most of Outlook features (including obscure things like dragging and dropping). I'm astonished that anyone at Microsoft willingly put this thing out into the world
jamespthomas@nielsk have not used outlook since they told me they lost my password,i wont be at the office today or the next or the ones after365
Condalmo.@nielsk What does this mean? Break it down for me, your friendly neighborhood layperson
@condalmo “Outlook “New””will replace Windows Mail. When you use Outlook New, you give Microsoft access to your mail-account and they store your credentials incl. your password and mails on their servers, even if you are not using them as your e-mail-provider but a totally different mail-provider. It is the same for the Outlook-client on iOS, Android and macOS.
Raven667@nielsk @condalmo To be nit-picky it's more likely they are storing an oauth2 token as most email providers aren't using raw passwords anymore as those aren't compatible with SSO or MFA. The "new" Outlook is basically a packaged PWA of the outlook.office.com webapp, in which it is maybe more obvious that the integration is server-side. I'm not sure they are trying to hide how it works, but they are probably looking to shove all that text into an LLM like every other asshole running a service.
Hartmut GoebelTo be nit-picky
> most email providers aren't using raw passwords anymore
I strongly doubt you have any valid statistics on this "most". There are many, many small providers out there. None of the e-mail providers I'm aware of (not counting the huge oligopolists) is using SSO or MFA for e-mail.
Thus this assumption does not hold:
> it's more likely they are storing an oauth2 token