<html><head></head><body><div>Hi Graham</div><div><br></div><div>I am highly cynical about this, I realise, but I find it saves time. With that in mind ...</div><div><br></div><div>This was discussed fairly extensively a few years ago when Outlook Mobile became the "Microsoft-offered/preferred" mobile client. I suspect that for most organisations who knew about it and actively considered it, the risk analysis included "Well, we already bent over ... er ... I mean, 'offloaded authentication to Azure' for Office 365, my corporate credentials and email are already stored by a company beholden to the PATRIOT Act etc, so what's one more case of credentials stored blindly in the cloud - MS swear it's the only/best way to do it and they must know what they're talking about".</div><div><br></div><div>I decided back then I would let my employer decide that was OK for their stuff, but for my own use I have a different Android client (which supports all the Office 365 functionality anyway including MFA, so Microsoft's justifications are hollow). Most of these "decisions" on clients seem to be made by people on the basis of "ooh shiny", at least within SMEs. I'm sure the ADF wouldn't be using Mobile Outlook on this basis, right?</div><div><br></div><div>Anyway, for organisations, there's also some value in being able to use Azure functionality to lock down mail to their own choice of client and managed device, so when it's lost or the employee leaves, company IP can be wiped (and they "know" it works). Those who know about the credential caching/storage have their concerns dismissed, and their successors have a harder time arguing for an alternative, too, since Outlook is already in place. And since MS hasn't enabled on-premises platforms for modern needs like MFA and modern authentication, and is actively trying to make rentals the only available option, I doubt the situation will improve.</div><div><br></div><div>Dave.</div><div><span><pre><span style="color: rgb(31, 73, 125); font-size: medium;">--</span></pre><div><div><span style="font-size: medium; color: rgb(31, 73, 125);">David Rawling - Principal Consultant<br></span><span style="font-size: medium; color: rgb(31, 73, 125);"><br></span><span style="font-size: medium; color: rgb(31, 73, 125);">t: +61 41 213 5513 | e: <a href="mailto:djr@pdconsec.net" title="Click to mail djr@pdconsec.net" style="color: purple;"><span style="color: rgb(31, 73, 125);">djr@pdconsec.net</span></a></span><span style="font-size: medium; color: rgb(31, 73, 125);"><br></span><font size="2"><span style="color: rgb(31, 73, 125);"><br></span><span style="color: rgb(31, 73, 125);">Please note that whilst we take all care, neither PD Consulting and Security nor the sender accepts any responsibility for viruses and it is your responsibility to scan for viruses. The contents are intended only for use by the addressee and may contain confidential and/or privileged material. If you received this in error, we request that you please inform the sender and/or addressee immediately and delete the material.</span></font></div></div></span></div><div><br></div><div>On Fri, 2021-12-17 at 15:42 +1000, Graham Maltby wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Thanks everyone for the confirmation.<br></div><div><br></div><div>The process does not appear to have changed at all from what has been <br></div><div>described; still storing credentials and all the mail they can slurp. I <br></div><div>have never liked or used Outlook in any of it's various incarnations so <br></div><div>I've had little exposure to this.<br></div><div><br></div><div>I am somewhat surprised that this is not more well reported in <br></div><div>mainstream media. If any other app so blatantly stole your data and <br></div><div>shipped it off overseas, it would be all over the press as this should <br></div><div>be. But Microsoft, like a number of others, are big enough to get away <br></div><div>with this.<br></div><div><br></div><div>Cheers,<br></div><div>Graham<br></div><div><br></div><div><br></div><div><br></div><div>On 17/12/21 14:01, Philip Loenneker wrote:<br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi Graham,<br></div><div><br></div><div>I don't know if this is still the case, but the original "Outlook" app for mobiles saved your credentials on a server and downloaded to there, then synced it down to your device. I think they did that so they could do things like push notifications when you get an email, which doesn't work if it runs locally and the app isn't allowed to run in the background. That was before Microsoft bought the app, but I haven't looked at it at all since then.<br></div><div><br></div><div>Where I was working at the time, we were justifiably concerned by this "feature", advised everybody to not use it, and blocked it from working on the corporate Internet service.<br></div><div><br></div><div>It is possible that it operates differently now, but from what you described, it sounds like they still do the same thing.<br></div><div><br></div><div>This rather old blog post discusses some of the security concerns, but it's from 2015 and may be completely irrelevant now.<br></div><div><a href="https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/">https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/</a><br></div><div><br></div><div>Regards,<br></div><div>Philip Loenneker| Senior Network Engineer<br></div><div>TasmaNet | Vastnet | Netmode<br></div><div><br></div><div>-----Original Message-----<br></div><div>From: AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>> On Behalf Of Graham Maltby<br></div><div>Sent: Friday, 17 December 2021 2:35 PM<br></div><div>To: <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br></div><div>Subject: [AusNOG] Outlook Mobile (OT)<br></div><div>Importance: Low<br></div><div><br></div><div>Afternoon all,<br></div><div><br></div><div>While attempting to sort out some autodiscover / activesync processes last night, I installed Outlook on my mobile (current Android version from the Play Store). Setup and an account and logged in.<br></div><div><br></div><div>To my dismay, I find my phone is not connecting over the LAN to the server 4m away but instead a server in Seoul, South Korea is connecting and downloading my mail instead. Aside from the woeful performance, it raises a lot of concerns with privacy, security and data sovereignty.<br></div><div>The most annoying part (if that was not sufficient), is that 14 hours after deleting the account from "all devices" and uninstalling the app, the server is still logging in and collecting mail now (or was until I changed the password).<br></div><div><br></div><div>Is this common knowledge I have just missed all these years?<br></div><div><br></div><div>Is there a reason the media are not making noise about this?<br></div><div><br></div><div>Does nobody care because it's pretty?<br></div><div><br></div><div><br></div><div>I have very low expectations when it comes to Microsoft but this poor by any measure.<br></div><div><br></div><div>Graham<br></div><div><br></div><div>_______________________________________________<br></div><div>AusNOG mailing list<br></div><div><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div><div><a href="https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0">https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0</a><br></div></blockquote><div><br></div><div>_______________________________________________<br></div><div>AusNOG mailing list<br></div><div><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div><div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></div></blockquote></body></html>