The new Outlook may give Microsoft access to third-party emails and logins
The new Outlook for Windows application will replace Mail and Calendar, and also classic Outlook. Problem is, it may transfer third-party email logins to Microsoft and gives Microsoft full access to all emails, contacts and events.
The new Outlook is available already. Users of the latest Windows 11 version may have the app installed on their devices. It is also available as a standalone download from the Microsoft Store.
Even classic Outlook contains an option to test the new Outlook for Windows. Microsoft plans to replace Mail and Calendar on Windows 11 with the new Outlook for Windows in 2024. Microsoft employee Caitlin Hart revealed in a Tech Community post that the new app will also replace classic Outlook eventually.
The article lists features that Microsoft is working on currently and features that it has added to the new Outlook for Windows already.
Your emails and login information may be transferred to Microsoft
A reminder is shown to users when they add a new third-party email account to the new Outlook. It links to the Sync your account in Outlook to the Microsoft Cloud support website. There, users are informed that emails, contacts and events of that account are synced with the Microsoft cloud to enhance the Microsoft 365 experience.
This works with a limited number of third-party email providers and also depends on the platform. The Windows version supports the feature for Gmail and Yahoo accounts, while the iOS, Outlook for Android and Mac versions support Gmail, Yahoo, iCloud and IMAP accounts.
Microsoft gets full read access to the emails and other information that it syncs. The only options that users have is to select continue or cancel. Continue proceeds with the setup, cancel stops it at that point.
Apart from gaining access to emails, contacts and events for supported email providers, users may also wonder how the syncing is established.
German computer magazine CT discovered that Outlook may transfer the target server, username and password to Microsoft servers. This was, for instance, the case for test IMAP accounts.
TLS is used to encrypt the data in transit, but Microsoft gains cleartext access to the data. I confirmed the findings using a test account.
Users are not informed about this by Microsoft during setup. Microsoft gets full access to the email account, including the username and password, and does not inform users about it.
To be fair, this is not the case for all third-party email accounts. Gmail, for instance, uses OAuth2 for authentication. Microsoft still gets read access to emails and other data, but it does not get the user's login information.
Gmail users may retract these permissions in their Google account at any time.
The new Outlook and third-party accounts
Windows users need to be very careful when it comes to the new Outlook. We recommend not to use it with third-party accounts at the time of writing until Microsoft publishes an official statement about this.
The new Outlook has a 3.5 out of 5 rating on the Microsoft Store. Reviews are mixed, and so are reviews on third-party websites.
Now You: which email app(s) do you use?Advertisement