Heise Online has disclosed that, beyond email content, the application is also sending IMAP and SMTP credentials linked to user accounts. During the process of adding new email accounts, Outlook makes it clear that it will synchronize data with Microsoft’s cloud services, as stated: "Everything you create in Outlook is stored in the Microsoft Cloud." Users seeking further information are directed to a support article from Microsoft.
Microsoft's intention with this synchronization is to provide a seamless user experience, as per their explanation. The updated Outlook is designed to sync non-Microsoft accounts, which includes emails, contacts, and calendar events, with the Microsoft cloud. This function is compatible with various accounts such as Gmail, Yahoo, iCloud, and other IMAP services, across different Outlook applications. The aim is to make certain features, once exclusive to Microsoft 365 or Microsoft Exchange Online accounts, accessible to a broader range of users. This synchronization ensures that there is consistency for emails, calendar entries, and contacts between the user's email service and Microsoft's data centers.
However, the scope of Microsoft’s data collection extends beyond this. According to Heise Online, the new Outlook is configured to send login details, including usernames and passwords, to Microsoft servers. Although this transfer is secured with TLS, the credentials are transmitted in plain text within the protected channel. This indicates that Microsoft has the potential to access IMAP and SMTP credentials without explicitly notifying users or obtaining direct consent. The use of a Google account with Outlook seems to offer a slightly different privacy landscape. When authenticated through OAuth2, only an access token is transferred to Microsoft, which users have the option to revoke. In such instances, sensitive login details like usernames and passwords are not handed over to Microsoft.
