New Outlook copies user emails from other accounts to Microsoft cloud


The new Microsoft Outlook, replacing Calendar and Mail in Windows 11, syncs user data, including credentials or emails, to Microsoft Cloud by default. This applies even when using Gmail and other third-party mail accounts unless specified otherwise.

Updated with comment from Microsoft.

With the Windows 11 2023 update, Microsoft brought the new Outlook app as an alternative to Mail and Calendar apps “at no extra cost.” However, there may be a cost after all – users are pushed into syncing their mail accounts with Microsoft Cloud, sharing sensitive data.

New Outlook users risk having their IMAP and SMTP credentials and whole emails transferred to Microsoft servers without proper consent given, a report by heise.de found.

When users want to add their email accounts from different providers, for example, Gmail, to their Outlook, a pop-up informs: “For better experience, your messages, events, and contacts will be synced to the Microsoft Cloud.”

Effectively, that means that Microsoft will create duplicate copies on its servers.

Adding account to Outlook

“Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers,” the Microsoft support page reads.

It’s now recommended to use the new Outlook app instead of the Mail app. Also, the new Outlook version is offered with “the new Outlook” switch for Microsoft 365 subscribers. It is expected to replace the basic mail and calendar programs.

“The new Outlook for Windows is the future for both the Mail and Calendar apps in Windows and the classic Outlook for Windows,” Microsoft blog post reads.

However, Heise.de is suspicious of what Microsoft transfers and where to. The German publication was able to observe Microsoft creating copies of credentials such as login name, password, and destination server. Moreover, the data traveled in plain text, although using cryptographic Transport Layer Security (TLS) protocol.

“Without informing or asking, Microsoft grants itself full access to the IMAP and SMTP access data of users of the new Outlook,” Heise’s reporting warns.

Microsoft support pages explain that this is done “to enhance your Microsoft 365 experience in New Outlook for Windows.”

“You can now sync your non-Microsoft accounts (including their emails, contacts, and events) to the Microsoft Cloud. This is available for Gmail, Yahoo, iCloud, and IMAP accounts in Outlook for iOS, Outlook for Android, and new Outlook for Mac,” it writes.

Microsoft mentions here that the Microsoft Services Agreement and Privacy Statement apply to account data.

“At first sight, it's a pretty terrible practice regarding user privacy and might even be deemed illegal in some countries, where the right to private communication is a constitutional right, as sharing SMTP and IMAP credentials is the same as sharing keys to the doors, just the doors are your email inbox. However, an in-depth investigation into privacy policy and chain of events is needed to confirm or deny the allegations in the article,” the Cybernews Research team said.

Outlook users who do not want to sync their data with Microsoft should choose the option “Sync directly with [Provider]” while setting up new accounts.

Cybernews reached out to Microsoft.

Syncing a user’s IMAP account helps the user have a consistent experience for all accounts added in Outlook, such as being able to use mail search and being able to mark emails as read/unread for the added accounts. See the article in the “Learn more” link for details on the features supported. For IMAP providers where Microsoft connects using BasicAuth, we store the access data as a user token in encrypted form in the user’s own mailbox. For email providers supporting OAuth (Gmail and Yahoo Mail), we never have access to the user’s access data, since the service gets an OAuth token from the client. This means that Microsoft does not have access to the plain text password, – Microsoft Spokesperson said in an email.

Meanwhile, cybersecurity communities are raging on online forums.

“My magic crystal ball just showed me that they're going to use your email for training AI models. They're just trying to catch up with Google in any and every way they possibly can, users trust, privacy and security be damned,” one user posted on Hacker News.