Hello.
We are

  • Expert

The New Microsoft Outlook: Slick Look, Sticky Strings (Techy Version)

(*refer below for definitions)

Functionality, Sentiment, and Security Implications 

Microsoft has begun rolling out a new version of Outlook, commonly referred to as “One Outlook” or Project Monarch. Designed to unify the email experience across Windows, macOS, and the web, the new Outlook represents a major shift in both architecture and functionality. While Microsoft touts it as a more streamlined, modern experience, reactions among users and IT professionals are mixed—especially concerning how it handles data, credentials, and security.

A Shift in Architecture and Experience

The new Outlook is effectively a Progressive Web App (PWA) built on top of Outlook.com. Unlike the classic Outlook desktop client that stored emails locally using PST* or OST* files and communicated via MAPI* protocols, this new version behaves more like a wrapper for the web interface. Many features depend on a persistent internet connection and server-side processing.

Key Changes:

  • No local PST/OST files: Emails are streamed from the server as needed, with minimal local caching.
  • Unified Interface: Identical experience across desktop and browser.
  • Cross-platform Add-ins: Add-ins built for Outlook on the web now work across all platforms.

How Email Is Stored and Retrieved

The new Outlook relies almost entirely on cloud storage. All emails, attachments, and calendar items are stored in the user’s mailbox hosted by Microsoft 365, Outlook.com, or an external mail provider. When a user opens an email, Outlook fetches it from the server in real time using web APIs*.

Local Storage:

While Outlook may cache recent emails or attachments for performance reasons, the bulk of the data remains server-side. This reduces disk usage but makes the client highly dependent on network reliability.

Credential Handling and Security Implications

Authentication Process

When signing in, Outlook uses OAuth 2.0 for Microsoft accounts (e.g., Microsoft 365, Outlook.com), obtaining access and refresh tokens which are stored securely in the Windows Credential Manager or macOS Keychain. These tokens allow Outlook to access mailbox data without storing the user's actual password.

However, when connecting to third-party services like Gmail, Yahoo, or private *IMAP/SMTP servers, the situation is different:

  • If the provider supports OAuth (e.g., Gmail), Outlook will attempt to use delegated login.
  • If OAuth is not supported, Outlook requires the actual username and password for that mail server.

Where and How Credentials Are Stored

In cases where OAuth is unavailable, Microsoft stores the actual mail server credentials in the cloud as part of your Microsoft account or connected services configuration. This enables Microsoft to periodically poll the external mail server, even when Outlook isn’t actively running on your device.

Security Implications

  1. Cloud Storage of External Credentials
    • These credentials are stored by Microsoft to support continuous synchronization from third-party mailboxes.
    • This means Microsoft can access your Gmail or custom IMAP server at any time, which may conflict with internal IT policies or compliance standards.
  2. Opaque Behaviour
    • Users are rarely notified that their credentials are being stored in the cloud, not just on their device.
    • Removing an account from the Outlook client does not necessarily delete it from Microsoft’s backend services.
  3. Single Point of Failure
    • If an attacker compromises your Microsoft account, they could gain full access to all third-party email accounts linked to it.
    • Similarly, if Microsoft's credential vault were breached, this could expose credentials for services they do not own or control.
  4. Data Residency and Compliance Risks
    • Organisations operating under strict data sovereignty laws (e.g., *GDPR, *HIPAA, or NZ’s Privacy Act) may unintentionally be storing external email data on Microsoft’s servers—sometimes across international borders.
  5. Trust Creep
    • By allowing Microsoft to act as a persistent email proxy, organisations are granting it ongoing access to mailboxes that may contain sensitive personal or business information, without fine-grained visibility or control.

IT and User Sentiment: Mixed Reactions

IT Departments

Pros:

  • Easier deployment and updates
  • Unified experience reduces support burden
  • Consistent add-in behaviour across platforms

Cons:

  • Less control over where data is stored and how it flows
  • Difficult to audit and revoke access to third-party mailboxes
  • Reliance on Microsoft's cloud architecture even for non-Microsoft accounts

End Users

Pros:

  • Seamless experience across desktop and web
  • Familiar, modern interface
  • Easy account setup

Cons:

  • Confusion about what data is stored where
  • Unexpected behaviour when accessing or clicking links
  • Loss of full offline access capabilities

Handling Downloaded Email and Link Behaviour

When emails are fetched from the source mail server (Microsoft 365 or otherwise), they are rendered using web-based HTML within the Outlook PWA. This creates a number of issues:

  • Embedded Links: Behave as they would in a web browser. Some users report that clicking links can redirect the entire Outlook interface or open unexpected tabs.
  • Security Scanning: Microsoft Defender for Office 365 may scan or rewrite links in Microsoft-hosted accounts, but third-party accounts may not receive the same protection.
  • Tracking Elements: Pixel tracking and remote content are often rendered unless blocked by policy, exposing metadata about user behaviour.

Since emails are no longer rendered in a fully sandboxed desktop environment, script execution risks, phishing detection limits, and navigation control all become more critical concerns.

The Mail Services Expert Provide

Where we provide mail hosting services to clients, we restrict authentication only to the country where users are located. This provides a significantly more secure environment as it prevents rogue actors located outside of the user’s country from attempting to hack into the email accounts we host. That’s why when travelling abroad, users need to notify us in advance so we can allow email account access to the countries they will be traveling to, we then lock those accounts down again upon the users return.

Because the new Outlook requires access to the users email account via their cloud-based datacentres, we must remove the country specific authentication restriction which in turn allows anyone in the world to attempt to access the users email resulting in a less secure system.

There is alternative solution though. Instead of being forced into Microsoft’s cloud-based solution, you can use any other alternative email client, such as Thunderbird; a free email client provided by Mozilla, the same people that provide the Firefox web browser.

 

Conclusion

The new Outlook offers a visually polished and technically modern experience. But its cloud-first model—while efficient and scalable—introduces notable changes in how emails are stored, how credentials are handled, and how security is enforced. The quiet upload and storage of third-party email credentials to Microsoft’s servers presents risks many users and IT admins aren’t yet aware of.

As adoption increases, organisations must re-evaluate their policies around data handling, external account access, and email hygiene. In the pursuit of convenience, transparency and control should not be sacrificed.

 

Definitions

* PST and OST are both Outlook data file formats. PST files are used for storing Outlook data locally on your computer, often for archiving and backup purposes. OST files, on the other hand, are cached copies of your mailbox data stored locally when you have an Exchange email account and are working in Cached Exchange Mode, allowing for offline access. 

* MAPI (The Messaging Application Programming Interface) is a programming interface specification that enables an application to send and receive mail over a Microsoft Mail messaging system. It was designed to separate the mail engine from the mail client.

*An Application Programming Interface (API) is a set of rules and protocols that allows different software applications to communicate and interact with each other, enabling them to exchange data, features, and functionalities. Essentially, it's a "middleman" that enables software to connect and share information in a standardized way. 

*IMAP and SMTP are email protocols used for receiving and sending emails, respectively. IMAP (Internet Message Access Protocol) is used to retrieve emails from a server, while SMTP (Simple Mail Transfer Protocol) is used to send emails to a server. 

*GDPR stands for General Data Protection Regulation, and it's a European Union law that governs how organizations collect, use, and store personal data of individuals within the EU. It was implemented on May 25, 2018, and aims to harmonize data protection laws across the European Union, strengthening individuals' rights and imposing obligations on organizations to ensure compliance. 

*HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It's a federal law designed to protect individuals' medical records and other personal health information. This means HIPAA sets national standards for how health information is handled and protected, ensuring privacy and security.