Microsoft is developing a solution to an encryption flaw in the Outlook Android and iOS apps that cause some devices to ignore IT department passwords and policies, including encryption.
The company said additional features will be rolled out in the next few months to heighten security for corporate IT departments, including the addition of PIN lock and new Exchange ActiveSync policies.
Dirk Sigurdson, director of engineering at Rapid 7's Mobilisafe uncovered the flaw, and demonstrated how encryption policies are being ignored on some mobile devices.
Sigurdson explained in a blog: "[With Outlook for Android and iOS] any ActiveSync policy defined on the server is completely ignored. Your company can define a sophisticated passcode or encryption policy that will have absolutely no impact on devices if this new email client is used by your employees. There are other potential security issues with Outlook as well, but this one I think is the most egregious.
"If your organisation is dependent on ActiveSync policies in anyway you should immediately block ActiveSync access to Outlook for iOS and Android," he advised.
Another security blogger, Rene Winkelmeyer, warned of a number of other corporate security flaws in the Outlook apps when they were first released in January. He explained that Microsoft allows users to share corporate mail attachments with personal accounts, share ActiveSync IDs across a single user's devices and shares these credentials with Microsoft.
"The only advice I can give you at this stage is: block the app from accessing your companies [sic] mail servers. And inform your users that they shouldn't use the app," he explained.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
-
A new framework for third-party risk in the European Unionwhitepaper Report: DORA and cyber risk
-
Anonymous Sudan: Who are the hackers behind Microsoft’s cloud outages?News The highly aggressive ‘hacktivist’ group is thought to have links to the pro-Russian Killnet hacker collective
-
Kali Linux releases first-ever defensive distro with score of new toolsNews Kali Purple marks the next step for the red-teaming platform on the project's tenth anniversary
-
Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender updateNews However, some users have resorted to creating their own fixes as they’ve encountered Microsoft’s to be problematic
-
Windows Defender update deletes Start Menu, Taskbar, Desktop shortcutsNews For now, it appears that administrators will have to manually recreate their shortcuts once the issue has been fixed
-
IBM LinuxONE for dummiesWhitepaper Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation
-
Windows 10 users encounter ‘blue screen of death’ after latest Patch Tuesday updateNews Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
