Released: March 2024 Exchange Server Security Updates

We are not hybrid either and this is the first time I have heard that MS is proxying the authentications from Outlook Mobile client.  I have NOT seen that URL from Microsoft Learn referenced in any of the Google Play documentation for Outlook Mobile.  I do thank you for at least disclosing it here.  I will definitely circulate it as well as this info to everyone I know.

Now I understand why Microsoft does not publish the code for Outlook Mobile because the very first patch that would be released for it is one that cuts that proxying right out of the application.

Who the heck do you think you are that you have the right to collect email addresses and passwords to them in your proxy cache server WITHOUT notifying any of the people downloading the Outlook Mobile app?

Oh, right, you are the folks making the app available FOR FREE.  Now I know WHY it's free.  From your view it's a quid-pro-quo, the "customer" (more like the mark or the sucker) gets the free app, and in exchange you get marketing data, their email address and password on top of it.

Don't you people understand some countries in the EU have actual laws requiring disclosure for this kind of thing?  Unlike the US which allows this sordid kind of information gathering.   Oh wait, I see on that URL page:

"On-premises accounts leveraging hybrid Modern Authentication with Outlook mobile are not supported with Office 365 US Government Community and Defense tenants, Office 365 Germany tenants, and Office 365 China operated by 21Vianet tenants."

So in other words none of those organizations can run Outlook Mobile, legally.  Yet the US Government was compromised last year in the last major O365 attack so clearly, many of the US Government offices aren't aware of this.  Why?  BECAUSE YOU DON'T MAKE WHAT YOU ARE DOING OBVIOUS by disclosing it on Google Play.

Frankly I think you are violating Google Play rules by not disclosing what you are doing but that's not my problem.  You probably also are violating the Apple store rules as well.

How can we trust you that this fancy "hybrid authentication" AKA Microsoft stealing email addresses and passwords is limited to JUST Exchange servers?  What about the various Linux mailserver projects that create a mailserver that has all the same authentication API's that Exchange uses like ActiveSync?  Are you man-in-the-middle collecting passwords and email addresses and userID's from them, too?  What about the IMAP clients do you use your proxy to collect authentication information from those, also?  How can we tell?  You don't publish the code for the mobile app!

I'm quite sure your sales and marketing department is regularly given reports of the top 100 domains that are passing through your authentication servers so that your salesguys can go hump those organizations legs for O365.

And don't think I'm letting Google off the hook on this one either as I have absolutely no doubt that they do the same **bleep** thing with their email app - not to mention that they already get the email address from the gmail address in the phone anyway, but they can collect all the additional email addresses from additional email accounts added to the Mail app in the phone, just as you are no doubt doing.  Except, oh wait - THEY PUBLISH THEIR MOBILE EMAIL CLIENT CODE so if they attempted this we would all know it.

God how it disgusts me how dirty this industry has become over the last decades.

Folks, I was sending email via UUCP before Internet email even existed.  We never ever intended for it to get this filthy and we did the best we could to try to make it impossible for this kind of thing to happen when designing protocols.  I'm sorry we failed but it just proves once more that money is the root of all evil and when you get enough of it, it will corrupt ANYTHING.