March 12, 2015

Written by Chris E.

Following the acquisition of the popular mobile email application Acompli, Microsoft has released the latest version of its Outlook App for iOS and Android devices. Within one week of the debut, reports of major security concerns relating to Microsoft’s methods of data storage began surfacing across various internet-based forums.

Many organizations, including ActioNet, allow users to access corporate email systems on mobile devices through Microsoft’s ActiveSync protocol. Mail, tasks, calendars, contacts, and other information stored on corporate Exchange Servers can be automatically pushed to mobile clients, whether company-owned or user-owned (BYOD) by leveraging the ActiveSync protocol that runs natively on iOS and Android devices. This process executes privately between the corporate Exchange Server and the user device, keeping user credentials and other potentially sensitive data out of the hands of third parties.

Microsoft’s latest Outlook App not only stores user credentials on third-party servers, but also completely bypasses Exchange ActiveSync security policies.  This bypasses any security protocols implemented on your Microsoft Exchange Servers and introduces the risk that user credentials can be stolen or spoofed to penetrate organizations’ on-premise Exchange email systems.

In response to the discovery of these vulnerabilities and backed by overwhelming condemnation by Information Security professionals across the globe, the ActioNet Information Security team has implemented a temporary block of ActiveSync access to the Outlook App for iOS and Android. Microsoft is aware of the issue and has said in a statement that fixes will be released in the coming weeks.