Microsoft is going to deploy the “New Outlook” with Windows February security update. Why Microsoft is going to deploy an application with an OS security update?
Because the “New Outlook” gives Microsoft full access to your email, whatever email service you are using.
“New Outook” is not a full email client. It doesn’t “speak” SMTP, IMAP or POP. It’s just a web front-end to a remote server, a Microsoft remote server. Little more than a webmail application. Emails aren’t stored and managed locally (maybe some cache, not the full mailbox), but are stored and managed on Microsoft servers.
Thereby, even if you are not using Microsoft “cloud” e-mail (like outlook.com, Microsoft 365 mail servers), your emails are downloaded first to Microsoft servers to be read by “New Outlook”, and is routed through Microsoft servers before being sent by your email server. Microsoft servers keep a copy of all your emails. Existing mailboxes are synced the first time you use the “New Outlook”.
To achieve that when you are not using Microsoft service (i.e. GMail, your ISP email, your company or your personal email server), “New Outlook” transfers to Microsoft your mail credentials, which of course Microsoft has to get them in plain text and then store using reversible encryption.
You read it right. Microsoft asserts its right to take control of your email credentials. So it can access your mailboxes to read emails and send through your email server. A huge man-in-the-middle attack. How that it plays well with security, antitrust rules, policies, FISA and CLOUD Act you can guess.
Still it is using a security update to force that application on all Windows users. Most users are worried “New Outlook” is much inferior to the “Classic” one. This is true, under many aspects.
But it’s not its worst feature. The worst one is obviously you lose control of your e-mail. Microsoft can read everything you receive and send, and can also impersonate you. It has your credentials. A security breach may mean hundreds of millions of credentials may be stolen – and the mailboxes too! – Microsoft already shown how little secure some of its systems are. Is this a security update? Really??
Are you using (and maybe paying) the likes of Proton Mail in the hope of a more private and secure email server? As soon as you use “New Outlook” and don’t understand how it works, your privacy and security are gone.
Is your company using its own mail server for security and regulatory/legal reasons? As soon as users start to access it through the “New Outlook”, all emails end in the hands of Microsoft, on servers wherever Microsoft likes.
I didn’t see privacy authorities around the world expressing public concern and putting Microsoft under scrutiny for this blatant attack on users’ privacy and security. Moreover the way Microsoft asks for users consent is far below what regulations like GDPR require for “informed consent”.
How this was approved? This shows Nadella has no shame, and his full Brahmin contempt for those he believes are inferiors. They have no rights, and his right to make easy money allows him and Microsoft to do whatever he likes, to please shareholders only. Probably this is just a plan to find a cheap, useful source to train AI, but evidently it has very broad privacy and security impacts. Cory Doctorow’s “enshittification” at its best.
Probably Nadella is trying hard also to cut on development costs (it’s clear in Windows and Office) and transfer it where less skilled developers cost less (his native India, probably), without understanding that once he killed Windows/Office, Azure just become one cloud like the other ones. A clear demonstration of avidity and stupidity, even if it brings money now. My main reason to have an Office license is Outlook, the only application I use daily. Word/Excel/PowerPoint are not my daily tools. Once Outlook is replaced fully, I can replace Office as well. And then the only application that requires Windows for me is Lightroom… my servers already run on Linux, and the remote ones in a non-Microsoft “cloud”.
My advice: stay away from the “New Outlook”, unless you’re already using Microsoft servers.