As discovered last week, "New Outlook" (which currently is getting rolled out via Windows update) when adding an IMAP mail account is sending your account credentials including password in cleartext to Microsoft, not asking for informed user consent.
German c't magazine, who first discovered and reported this, now got a reply from Microsoft, where they are awkwardly deflecting on the question of them stealing IMAP credentials. They claim that synchronisation is done for "consistent user expierence", but do not acknowledge sending the user's IMAP credentials to the cloud. But c't magazine has proven and can re-produce that once they setup an IMAP accouint locally that suddenly Microsoft servers from the UK are logging into their IMAP server with those credentials.
Obviously under GDPR EU law all of this is illegal already. But on top of this it is now proven they are storing users' IMAP credentials on servers outside of the EU (UK).
Deepl translation (which is much better than the Google one):
NEW OUTLOOK: MICROSOFT TAKES A STAND ON THE TRANSFER OF ACCESS DATA
WHEN ASKED, MICROSOFT HAS NOW EXPLAINED WHY THE NEW OUTLOOK TRANSFERS ACCESS DATA TO MICROSOFT SERVERS AND COPIES EMAILS THERE.
From Dirk Knop
The new Outlook app, which is to replace Windows Mail, Windows Calendar and later Outlook from Office, sends access data to IMAP and SMTP servers to Microsoft cloud servers, which then mirror users' emails. The company has now responded to a query from c't and heise online.
Essentially, Microsoft points out that the new Outlook uses a notification to indicate that data synchronization is taking place and that details can be found in the Microsoft article that links to the notification. The manufacturer also explains the reasons why this data transfer is necessary.
MICROSOFT: DATA SYNCHRONIZATION FOR A CONSISTENT USER EXPERIENCE
Microsoft explains: "Synchronizing users' IMAP accounts helps deliver a consistent user experience for all accounts added to Outlook. This includes allowing mail search to mark emails as read or unread for added accounts". The functions are described in the aforementioned Microsoft article linked in the Outlook notification. However, it does not mention anything about the transfer and storage of access data.
Microsoft also replied cryptically: "We store access data for IMAP providers whose servers Microsoft contacts using the BasicAuth method as user tokens in encrypted form in the user's mailbox". Behind BasicAuth is the insecure login with user name and password in HTTP, an unusual description for IMAP logins. Ultimately, this means that the access data for IMAP providers is stored in encrypted form at Microsoft.
"For email providers that support OAuth (Gmail and Yahoo Mail), we never get access to user credentials because the service receives an OAuth token from the client. This means that Microsoft does not have access to the plain text password," the company added to heise online, "only the users and the Microsoft service that interacts with the target servers have access to these tokens."
Image: "Log excerpt from the IMAP server that Microsoft's cloud servers contact"
Microsoft's cloud servers contact our IMAP server. The Microsoft service uses the user name and password - transmitted in the protected "TLS tunnel", of course.
It should be noted that Microsoft's service belongs to Microsoft and decrypts the token with the IMAP access data in order to use it for full access. We were also able to verify this on our IMAP server, which the Microsoft cloud server, probably based in London, had contacted and logged in with a user name and password. The IPs 52.98.204.101 and 52.98.207.109 belong to the Outlook365 IP range. Microsoft has the log-in data, can use it and does so. However, there is still no indication of this anywhere, only the vague message that data is being synchronized.
NO AUTOMATIC DATA IMPORT
"Users of the new Outlook app for Windows can choose whether to import accounts from classic Outlook when they select "Test the new Outlook"," explains the company. For each imported Gmail, Yahoo Mail, iCloud or IMAP account, users will be prompted and must choose to synchronize the data with the Microsoft Cloud to continue. "Users who do not want to use their accounts with the Microsoft Cloud can cancel and switch back to classic Outlook. The "switch to cloud synchronization" is therefore not automatic, users must choose whether they want to add these accounts," Microsoft explains further.
In response to the question of whether this means that all data will run through Microsoft's cloud and the manufacturer will collect all access data, Microsoft replied: "This information will be stored as long as users actively use the email client. If there is inactivity, the access data will be removed in accordance with the Account Lifecycle Process. Users also have the option to request removal of the data (including credentials) upon request by deleting the account and selecting the "Remove from all devices" option".
OUR ASSESSMENT
There may be technical reasons why Microsoft relies on copying and saving access data and emails from other providers. However, in its current form, this is hardly comprehensible for users. This is also shown by the reactions, which prove that many people are not even aware that the new Outlook transfers access data to Microsoft and actually copies emails to its cloud servers. This is likely to come as a particular surprise to users who set up Outlook without a Microsoft account, because even then Microsoft copies the emails to its cloud.
https://www-heise-de.translate.goog/news/Neues-Outlook-Micro...
As discovered last week, "New Outlook" (which currently is getting rolled out via Windows update) when adding an IMAP mail account is sending your account credentials including password in cleartext to Microsoft, not asking for informed user consent.
German c't magazine, who first discovered and reported this, now got a reply from Microsoft, where they are awkwardly deflecting on the question of them stealing IMAP credentials. They claim that synchronisation is done for "consistent user expierence", but do not acknowledge sending the user's IMAP credentials to the cloud. But c't magazine has proven and can re-produce that once they setup an IMAP accouint locally that suddenly Microsoft servers from the UK are logging into their IMAP server with those credentials.
Obviously under GDPR EU law all of this is illegal already. But on top of this it is now proven they are storing users' IMAP credentials on servers outside of the EU (UK).