Microsoft To Do Flagged Email List has Created a New Attack Surface for Junk Email



Outlook and Microsoft To Do are being exploited by spammers to turn our Flagged email list into a cesspool of junk email. Outlook allows any outgoing email to be flagged and To Do will display any flagged email—including those in Outlook's Junk folder. Clearly To Do should filter out anything from the  Junk folder.


I've reported this on Twitter and other feedback channels with zero response. Microsoft developers may never encounter this issue because they're behind enterprise-grade firewalls and SPAM filters. 


Microsoft To Do flagged junk email vulnerability 2020-11-05 144423-2.jpg

6 Replies


Dead silence. What kind of community is this?


Is anyone from Microsoft still around? Even if no one else is seeing this issue, perhaps someone could share that feedback?

@Mike Glenn I just noticed the same issue today. I went on the desktop app to manually delete the tasks. I also noticed some of the tasks were there despite the email being deleted from the junk file. If I have to go do this on a regular basis it will make the to do app experience very bad. I hope someone from Microsoft can provide input. Thanks for posting this. 

@DRFLNY Thank you for taking the time to validate that I'm not the only person in the world seeing this issue. I discovered the Important task smartlist is also impacted by this Junk folder flaw.


I've reported this to Microsoft via multiple channels including here in Tech Community, Feedback Hub and social media such as Twitter and Facebook. So far, it's been completely ignored by Microsoft except for one resource on FB who suggested that I report it to the Outlook team! Despite the fact that it makes zero sense to try and blame this To Do flaw on Outlook, I went ahead and reported it to them as well. The result? No response. I'm starting to wonder if it will take an article in one or more of the large tech publications to get thier attention.


Anyway, there are much bigger issues in the world that need attention. Let's hope for a brighter and healthier 2021 for all of us!

best response confirmed by Mike Glenn (Contributor)
Update: On January 29, I finally got a response directly from a support engineer on the To Do team! He acknowledged that the issue was being addressed and asked me to keep in touch with any updates. Since then, I'm happy to report that the To Do Flagged and Important smartlists have been SPAM free. The only exception was a temporary, regression on Feb 19 that was repatched within 24 hours.

Now we can enjoy SPAM free To Do smartlists. Note: Any junk mail that made its way into To Do before this issue was fixed will have to be removed manually.

Hi Mike- It looks like this issue was cleared up temporarily- I have 400+flagged junk mails in my Microsoft To Do app- which is really a shame, I was hoping to use it but this makes it useless for me.  I will have to see if I can report it as you did.  If you are still active on this, can you point me in the right direction?  Thank you for speaking up about this-

@Mike Glenn 

@LisaK10 Hello, Lisa. This problem was completely resolved for me back in February 2021. I haven't seen any junk email in my To Do smart lists since then. The fix was on Microsoft's side, so it should have resolved the issue for everyone. Nothing was done specifically to my devices other than updating to the latest version of To Do. 


That being said, I did have to manually remove all the flagged and important junk email tasks that made it into To Do before the fix. Check the dates on all those. They should all be from earlier this year (assuming your To Do version has been updated).