Edit 8/22/2024: please see our new blog post on the subject for updates on the Message Recall feature.
At Microsoft Ignite several years ago we announced that we were working on a new cloud-based m...
Updated Oct 04, 2024
Version 14.0
Blog Post
Man, this oh-so great update has a big flaw.
See, we manage our user's email passwords so they cannot fall victim to phishing attacks. Usually, this doesn't cause any issues, and the Outlook app keeps them signed in. They used to be able to view message recall status right within the email sent back to them. Now, they're required to sign in. This is where the problem starts. They cannot sign in because they don't know their credentials, as we intended. So, now, we'd have to reduce our security and open our users up to possibly falling victim to phishing emails to allow them to view message recall status. That, or we can waste a whole day or two going around and signing everyone in on their browsers. Still, a pain.
Secondly, I've heard if users don't have OWA enabled, they simply get an error screen when trying to click the link to view message recall status. This is where the second security concern comes in. We don't want to enable OWA for all users, as this is just one more vector of attack that malicious parties can use. Have you ever heard of browser session hijacking? At that point, they don't even need to know your password, as they can hijack your browser session and the server lets them right in, because it thinks it's you! Yes, this is a bit of an edge case, and usually other security measures like anti-virus software would catch anything like that before it gets far enough to do anything, but you never know. It's always good to be extra safe.
At least, that's how we feel here. Obviously, Microsoft doesn't share the same concerns. My complaint is that you guys change things, and don't allow users the option to just stick with the old way, when it's possible, like it would be here. Cloud based message recall may be more effective, but it has problems that spawn from it, like I mentioned above. I'd rather take the chance of a message not being recalled than take the chance that someone spills their credentials to a phishing attacker, or gets their browser session hijacked.
So, I suppose I have no choice but to drop what I'm doing and spend my whole day logging users into their Microsoft accounts on their browsers now. Also, enabling OWA for everyone, opening up their accounts to yet another attack vector. Please Microsoft, allow users to choose whether they want features like this. I know you may not immediately see why, but many users have reasons not to want the "latest and greatest".