[AusNOG] Outlook Mobile (OT)

David Rawling djr at pdconsec.net
Fri Dec 17 19:22:09 AEDT 2021

Hi Graham

I am highly cynical about this, I realise, but I find it saves time.
With that in mind ...

This was discussed fairly extensively a few years ago when Outlook
Mobile became the "Microsoft-offered/preferred" mobile client. I
suspect that for most organisations who knew about it and actively
considered it, the risk analysis included "Well, we already bent over
... er ... I mean, 'offloaded authentication to Azure' for Office 365,
my corporate credentials and email are already stored by a company
beholden to the PATRIOT Act etc, so what's one more case of credentials
stored blindly in the cloud - MS swear it's the only/best way to do it
and they must know what they're talking about".

I decided back then I would let my employer decide that was OK for
their stuff, but for my own use I have a different Android client
(which supports all the Office 365 functionality anyway including MFA,
so Microsoft's justifications are hollow). Most of these "decisions" on
clients seem to be made by people on the basis of "ooh shiny", at least
within SMEs. I'm sure the ADF wouldn't be using Mobile Outlook on this
basis, right?

Anyway, for organisations, there's also some value in being able to use
Azure functionality to lock down mail to their own choice of client and
managed device, so when it's lost or the employee leaves, company IP
can be wiped (and they "know" it works). Those who know about the
credential caching/storage have their concerns dismissed, and their
successors have a harder time arguing for an alternative, too, since
Outlook is already in place. And since MS hasn't enabled on-premises
platforms for modern needs like MFA and modern authentication, and is
actively trying to make rentals the only available option, I doubt the
situation will improve.

David Rawling - Principal Consultant

t: +61 41 213 5513  |  e: djr at pdconsec.net

Please note that whilst we take all care, neither PD Consulting and
Security nor the sender accepts any responsibility for viruses and it
is your responsibility to scan for viruses. The contents are intended
only for use by the addressee and may contain confidential and/or
privileged material. If you received this in error, we request that you
please inform the sender and/or addressee immediately and delete the

On Fri, 2021-12-17 at 15:42 +1000, Graham Maltby wrote:
> Thanks everyone for the confirmation.
> The process does not appear to have changed at all from what has been
> described; still storing credentials and all the mail they can slurp.
> I 
> have never liked or used Outlook in any of it's various incarnations
> so 
> I've had little exposure to this.
> I am somewhat surprised that this is not more well reported in 
> mainstream media. If any other app so blatantly stole your data and 
> shipped it off overseas, it would be all over the press as this
> should 
> be. But Microsoft, like a number of others, are big enough to get
> away 
> with this.
> Cheers,
> Graham
> On 17/12/21 14:01, Philip Loenneker wrote:
> > Hi Graham,
> > 
> > I don't know if this is still the case, but the original "Outlook"
> > app for mobiles saved your credentials on a server and downloaded
> > to there, then synced it down to your device. I think they did that
> > so they could do things like push notifications when you get an
> > email, which doesn't work if it runs locally and the app isn't
> > allowed to run in the background. That was before Microsoft bought
> > the app, but I haven't looked at it at all since then.
> > 
> > Where I was working at the time, we were justifiably concerned by
> > this "feature", advised everybody to not use it, and blocked it
> > from working on the corporate Internet service.
> > 
> > It is possible that it operates differently now, but from what you
> > described, it sounds like they still do the same thing.
> > 
> > This rather old blog post discusses some of the security concerns,
> > but it's from 2015 and may be completely irrelevant now.
> > https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/
> > 
> > Regards,
> > Philip Loenneker| Senior Network Engineer
> > TasmaNet | Vastnet | Netmode
> > 
> > -----Original Message-----
> > From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of Graham
> > Maltby
> > Sent: Friday, 17 December 2021 2:35 PM
> > To: ausnog at lists.ausnog.net
> > Subject: [AusNOG] Outlook Mobile (OT)
> > Importance: Low
> > 
> > Afternoon all,
> > 
> > While attempting to sort out some autodiscover / activesync
> > processes last night, I installed Outlook on my mobile (current
> > Android version from the Play Store). Setup and an account and
> > logged in.
> > 
> > To my dismay, I find my phone is not connecting over the LAN to the
> > server 4m away but instead a server in Seoul, South Korea is
> > connecting and downloading my mail instead. Aside from the woeful
> > performance, it raises a lot of concerns with privacy, security and
> > data sovereignty.
> > The most annoying part (if that was not sufficient), is that 14
> > hours after deleting the account from "all devices" and
> > uninstalling the app, the server is still logging in and collecting
> > mail now (or was until I changed the password).
> > 
> > Is this common knowledge I have just missed all these years?
> > 
> > Is there a reason the media are not making noise about this?
> > 
> > Does nobody care because it's pretty?
> > 
> > 
> > I have very low expectations when it comes to Microsoft but this
> > poor by any measure.
> > 
> > Graham
> > 
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20211217/ccee057f/attachment.htm>

More information about the AusNOG mailing list