[AusNOG] Outlook Mobile (OT)

DaZZa dazzagibbs at gmail.com
Fri Dec 17 20:39:16 AEDT 2021 

Hi Dave

Be good fella and elucidate us as to the name of this non-Microsoft android
client that supports MFA, please?

The only reason I started using the streaming pile of putrid dog crap that
is Outlook is because corporate decided to enforce MFA - and the
Samsung/Android client didn't support that

I'd love to know a client that I can use that supports MFA and isn't
Outlook.

Thanks

DaZZa

On Fri, 17 Dec 2021, 7:42 pm David Rawling, <djr at pdconsec.net> wrote:

> Hi Graham
>
> I am highly cynical about this, I realise, but I find it saves time. With
> that in mind ...
>
> This was discussed fairly extensively a few years ago when Outlook Mobile
> became the "Microsoft-offered/preferred" mobile client. I suspect that for
> most organisations who knew about it and actively considered it, the risk
> analysis included "Well, we already bent over ... er ... I mean, 'offloaded
> authentication to Azure' for Office 365, my corporate credentials and email
> are already stored by a company beholden to the PATRIOT Act etc, so what's
> one more case of credentials stored blindly in the cloud - MS swear it's
> the only/best way to do it and they must know what they're talking about".
>
> I decided back then I would let my employer decide that was OK for their
> stuff, but for my own use I have a different Android client (which supports
> all the Office 365 functionality anyway including MFA, so Microsoft's
> justifications are hollow). Most of these "decisions" on clients seem to be
> made by people on the basis of "ooh shiny", at least within SMEs. I'm sure
> the ADF wouldn't be using Mobile Outlook on this basis, right?
>
> Anyway, for organisations, there's also some value in being able to use
> Azure functionality to lock down mail to their own choice of client and
> managed device, so when it's lost or the employee leaves, company IP can be
> wiped (and they "know" it works). Those who know about the credential
> caching/storage have their concerns dismissed, and their successors have a
> harder time arguing for an alternative, too, since Outlook is already in
> place. And since MS hasn't enabled on-premises platforms for modern needs
> like MFA and modern authentication, and is actively trying to make rentals
> the only available option, I doubt the situation will improve.
>
> Dave.
>
> --
>
> David Rawling - Principal Consultant
>
> t: +61 41 213 5513  |  e: djr at pdconsec.net
>
> Please note that whilst we take all care, neither PD Consulting and
> Security nor the sender accepts any responsibility for viruses and it is
> your responsibility to scan for viruses. The contents are intended only for
> use by the addressee and may contain confidential and/or privileged
> material. If you received this in error, we request that you please inform
> the sender and/or addressee immediately and delete the material.
>
> On Fri, 2021-12-17 at 15:42 +1000, Graham Maltby wrote:
>
> Thanks everyone for the confirmation.
>
> The process does not appear to have changed at all from what has been
> described; still storing credentials and all the mail they can slurp. I
> have never liked or used Outlook in any of it's various incarnations so
> I've had little exposure to this.
>
> I am somewhat surprised that this is not more well reported in
> mainstream media. If any other app so blatantly stole your data and
> shipped it off overseas, it would be all over the press as this should
> be. But Microsoft, like a number of others, are big enough to get away
> with this.
>
> Cheers,
> Graham
>
>
>
> On 17/12/21 14:01, Philip Loenneker wrote:
>
> Hi Graham,
>
> I don't know if this is still the case, but the original "Outlook" app for
> mobiles saved your credentials on a server and downloaded to there, then
> synced it down to your device. I think they did that so they could do
> things like push notifications when you get an email, which doesn't work if
> it runs locally and the app isn't allowed to run in the background. That
> was before Microsoft bought the app, but I haven't looked at it at all
> since then.
>
> Where I was working at the time, we were justifiably concerned by this
> "feature", advised everybody to not use it, and blocked it from working on
> the corporate Internet service.
>
> It is possible that it operates differently now, but from what you
> described, it sounds like they still do the same thing.
>
> This rather old blog post discusses some of the security concerns, but
> it's from 2015 and may be completely irrelevant now.
>
> https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/
>
> Regards,
> Philip Loenneker| Senior Network Engineer
> TasmaNet | Vastnet | Netmode
>
> -----Original Message-----
> From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of Graham Maltby
> Sent: Friday, 17 December 2021 2:35 PM
> To: ausnog at lists.ausnog.net
> Subject: [AusNOG] Outlook Mobile (OT)
> Importance: Low
>
> Afternoon all,
>
> While attempting to sort out some autodiscover / activesync processes last
> night, I installed Outlook on my mobile (current Android version from the
> Play Store). Setup and an account and logged in.
>
> To my dismay, I find my phone is not connecting over the LAN to the server
> 4m away but instead a server in Seoul, South Korea is connecting and
> downloading my mail instead. Aside from the woeful performance, it raises a
> lot of concerns with privacy, security and data sovereignty.
> The most annoying part (if that was not sufficient), is that 14 hours
> after deleting the account from "all devices" and uninstalling the app, the
> server is still logging in and collecting mail now (or was until I changed
> the password).
>
> Is this common knowledge I have just missed all these years?
>
> Is there a reason the media are not making noise about this?
>
> Does nobody care because it's pretty?
>
>
> I have very low expectations when it comes to Microsoft but this poor by
> any measure.
>
> Graham
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
>
> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20211217/dc870ffd/attachment.htm>

More information about the AusNOG mailing list