When opening the new Outlook client for the first time, the user is asked to log in much like any other email client. If you enter an email address with a common provider, like Gmail or iCloud, the client will use an Oauth2 workflow to authenticate with your browser. If you enter a third-party domain, you’ll be prompted for an IMAP password (if supported). This is all very normal for an email client.
However, once you’re authenticated, you’re presented with an innocuous window informing you that to use the new version of Outlook, Microsoft will need to sync your emails, events, and contacts to Microsoft Cloud. A cancel option is available, but there’s no option to refuse and continue using your client. A support link is provided with some more information, which explains that the access enables features such as mail search, a focused inbox, or recurring meetings, but makes no clear statement of the limits of this data collection.
From this warning, a user might reasonably assume that the email client they’re logging into will continue acting as an email client and that the client might send some limited data for processing in the cloud. However, that’s not the case. Instead of your email client authenticating, your credentials are passed to the Microsoft cloud, which authenticates on your behalf. From this point, all processing (including the fetching of your emails) is handled in the cloud. We could not observe any traffic traveling directly from the client to our email provider.
This is true of both OAuth and IMAP workflows but is most visible when authenticating with a third-party IMAP server. In this case, the Outlook client takes the IMAP credentials provided by your email provider to access the application and transfers them directly to Microsoft’s cloud over TLS. We could reproduce this by setting up a transparent man-in-the-middle proxy between the internet and the Outlook Client to intercept encrypted traffic. In the screenshot below, our app password generated from a third-party email provider is shared and stored directly with Microsoft’s servers. The response to this request is an access and refresh token that’s used to maintain a persistent authenticated session with Microsoft’s servers.
This sounds like Microsoft is effectively turning Outlook into a thin client app connected to a Gmail-like service that sucks up and stores all your email from any connected service. Including Gmail.
I’m frankly stunned that nobody at MS thought that maybe, just maybe, this is a really bad idea, both from a legal and regulatory standpoint.
(Via Baldur Bjarnason)