cancel
Showing results for 
Search instead for 
Did you mean: 

New Outlook Mac OS and Windows some thoughts.

ravenstar68
Very Insightful Person
Very Insightful Person

Before I start I'm going to state that any and all opinions in here are my own and do not represent the opinions of either Virgin Media, OR any other company that I work for.

I have an office 365 subscription and Outlook on my MacBook is now the New Outlook.

I run my own email server and the New Outlook does not like setting up my account as an MS Exchange account so I reverted to the IMAP/SMTP combination to add my mail.

I noticed that my account was allowing the inbox set up to separate Focused and Other mail views - which I thought was Welcome - but strange, as this is a function on Microsoft Exchange accounts on the old Outlook but NOT IMAP accounts.

However the fun started when I wanted to look at the message source of a spam email.  Whilst not intuitive, this turned out to be quite simple, right click on the message in the message list and select view source.  This opened the message source in TextEdit.  But something looked odd so I tried again with the message source from a big provider.  Here are the main headers

 

Received: from mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1])
	by mail.timothydutton.co.uk (Postfix) with ESMTP id 4Vr8Bd6HM7z4w1s
	for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:41 +0000 (UTC)
Received: from mail.timothydutton.co.uk ([127.0.0.1])
	by mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 7dYu5B6xmDmJ for <myaddress@timothydutton.co.uk>;
	Fri, 31 May 2024 03:44:40 +0000 (UTC)
Received: from mta11.e.ea.com (mta11.e.ea.com [136.147.183.216])
	by mail.timothydutton.co.uk (Postfix) with ESMTPS id 4Vr8Bc2lRgz4vym
	for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:40 +0000 (UTC)
Received: by mta11.e.ea.com id hb53qg2fmd44 for <myddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:31 +0000 (envelope-from <bounce-18_HTML-897634912-604457-7229410-3460103@bounce.e.ea.com>)
From: EA <EA@e.ea.com>
To: "myaddress@timothydutton.co.uk" <myaddress@timothydutton.co.uk>
Subject: Order Confirmation

 

The first thing I noticed was that there were no Authentication results.  Now as this is my server I know what checks it does and how they show up in the headers.  So I decided to look at the same source in the Mac Mail Client.

 

Return-Path: <bounce-18_HTML-897634912-604457-7229410-3460103@bounce.e.ea.com>
Delivered-To: myaddress@timothydutton.co.uk
Received: from mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1])
	by mail.timothydutton.co.uk (Postfix) with ESMTP id 4Vr8Bd6HM7z4w1s
	for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:41 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mail.timothydutton.co.uk
Authentication-Results: mail.timothydutton.co.uk (amavisd-new);
	dkim=pass (1024-bit key) header.d=e.ea.com
Received: from mail.timothydutton.co.uk ([127.0.0.1])
	by mail.timothydutton.co.uk (mail.timothydutton.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 7dYu5B6xmDmJ for <myaddress@timothydutton.co.uk>;
	Fri, 31 May 2024 03:44:40 +0000 (UTC)
Received: from mta11.e.ea.com (mta11.e.ea.com [136.147.183.216])
	by mail.timothydutton.co.uk (Postfix) with ESMTPS id 4Vr8Bc2lRgz4vym
	for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=200608; d=e.ea.com;
 h=From:To:Subject:Date:List-Help:MIME-Version:Reply-To:List-ID:Message-ID:
 Content-Type; i=EA@e.ea.com;
 bh=Bt4O8+rAcBCqhUuRfb6wIy85XnrcqrAkSNwQhDba61A=;
 b=ktW2ZmorBa47DTVdiHaLxNuurEZEFrAYvdigN3/Pu3gcqQvOTZ//LxtEP3S1jYIzQt83wUUOlUST
   urqn0eeItQOd5VNJzxBt+/vsqOuTDdkirvxKP0/Y3X7kKqXdSMf518xuL/6MlH1WfcO9Uku0SZXt
   Nf2/lSHpA77mLgdum9k=
Received: by mta11.e.ea.com id hb53qg2fmd44 for <myaddress@timothydutton.co.uk>; Fri, 31 May 2024 03:44:31 +0000 (envelope-from <bounce-18_HTML-897634912-604457-7229410-3460103@bounce.e.ea.com>)
From: "EA" <EA@e.ea.com>
To: <myaddress@timothydutton.co.uk>
Subject: Order Confirmation

 

So straight away we see a discrepancy.  The DKIM header is there as is the result of the Authentication checks

Lets have a look at the plain text header portion

New Outlook

 

--_000_e2b2c4a7815e4e64bfe49242eac919f2atl1s07mta2749xtlocal_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

 

Apple Mail

 

--WZDBQC32T1nn=_?:
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: 8bit

 

There are more changes as well.  So essentially I CANNOT trust the headers of the mail when viewed in the New Outlook client.

How does Microsoft Achieve this - well just as in the Outlook client on mobile devices, the client does not directly connect to your server.  Instead it interacts with servers on Microsoft's network and they perform the IMAP and SMTP connections with the mail servers you set up in the settings.  I've confirmed this by sending an email and checking the headers of the send to see the point where it hits my mail server.

 

Received: from CWXP265MB1542.GBRP265.PROD.OUTLOOK.COM (unknown [IPv6:2603:1026:401:4d::5])
	by mail.timothydutton.co.uk (Postfix) with ESMTPSA id 4Vrqsd4Bqhz4vym

 

I could possibly live with this, but I am not a fan of Microsoft essentially re-writing my mail - whilst the mail itself looks identical to the end viewer on both clients - being unable to provide the ORIGINAL source from the New Outlook app means that security professionals are hampered from doing their jobs properly when investigating email scams.

Whoever thought this was a good idea needs their heads examining.

 

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

5 REPLIES 5

用心棒
Very Insightful Person
Very Insightful Person

I do not use Outlook but was curious enough to see what the issue could possibly be here. AFAICS it seems there is a “sanitised” view of headers that shows just the information Microsoft believe is of use. To access the “de-sanitised” view it seems you need to view the message's Properties > Internet headers field.

ravenstar68
Very Insightful Person
Very Insightful Person

Nope it's not.  The Properties->Internet Headers is in the Classic Version of Outlook.  The New version aims to move the interface in a similar direction to that of Outlook on the Web.

I've just added the same account to New Outlook on Windows, and have had the same experience as on the MacBook Air.

In addition when the client is set up you get a notification that the account is being synced with the Microsoft Cloud - I don't recall the message being so Overt in the MacOS version.

However it doesn't just sync the message to the cloud, it converts it.  Text in the email body that was encoded as 8 bit is instead encoded using Base64

This is with external accounts, but Microsoft has form for changing email bodies.  If I send an email to an Exchange account and a Gmail account and then run DKimverify on the source, Microsoft fails DKIM but Gmail passes.

Remember DKIM not only signs the mail, but also provides a hash that is used to prove that specified parts of the mail have not been altered.

The thing is, if they can effectively amend the contents of the mail to change the encoding format, what's to stop them actually amending the actual viewable content of the message.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Adduxi
Very Insightful Person
Very Insightful Person

I’ve so far managed not to use the “new” outlook with MS365.  I’m just waiting for MS to force all users onto it.  

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

用心棒
Very Insightful Person
Very Insightful Person

@ravenstar68 wrote:

Nope it's not.  The Properties->Internet Headers is in the Classic Version of Outlook.  The New version aims to move the interface in a similar direction to that of Outlook on the Web.

Sorry to read that.

Seems the instructions here, View internet message headers in Outlook - Microsoft Support, are incorrect then:2024-06-01.jpeg

Tudor
Very Insightful Person
Very Insightful Person

When I see MS doing things like this I’m very glad I gave up on MS a few years ago. I had even been a beta tester for early versions of Window and Windows Network Server!


Tudor
There are 10 types of people: those who understand binary and those who don't and F people out of 10 who do not understand hexadecimal c1a2a285948293859940d9a49385a2