Microsoft working to fix Outlook encryption flaw
The company said it will be finding a solution to the iOS and Android bugs causing corporate data policies to be ignored


Microsoft is developing a solution to an encryption flaw in the Outlook Android and iOS apps that cause some devices to ignore IT department passwords and policies, including encryption.
The company said additional features will be rolled out in the next few months to heighten security for corporate IT departments, including the addition of PIN lock and new Exchange ActiveSync policies.
Dirk Sigurdson, director of engineering at Rapid 7's Mobilisafe uncovered the flaw, and demonstrated how encryption policies are being ignored on some mobile devices.
Sigurdson explained in a blog: "[With Outlook for Android and iOS] any ActiveSync policy defined on the server is completely ignored. Your company can define a sophisticated passcode or encryption policy that will have absolutely no impact on devices if this new email client is used by your employees. There are other potential security issues with Outlook as well, but this one I think is the most egregious.
"If your organisation is dependent on ActiveSync policies in anyway you should immediately block ActiveSync access to Outlook for iOS and Android," he advised.
Another security blogger, Rene Winkelmeyer, warned of a number of other corporate security flaws in the Outlook apps when they were first released in January. He explained that Microsoft allows users to share corporate mail attachments with personal accounts, share ActiveSync IDs across a single user's devices and shares these credentials with Microsoft.
"The only advice I can give you at this stage is: block the app from accessing your companies [sic] mail servers. And inform your users that they shouldn't use the app," he explained.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro
-
A new framework for third-party risk in the European Union
whitepaper Report: DORA and cyber risk
By ITPro
-
Anonymous Sudan: Who are the hackers behind Microsoft’s cloud outages?
News The highly aggressive ‘hacktivist’ group is thought to have links to the pro-Russian Killnet hacker collective
By Ross Kelly
-
Kali Linux releases first-ever defensive distro with score of new tools
News Kali Purple marks the next step for the red-teaming platform on the project's tenth anniversary
By Rory Bathgate
-
Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update
News However, some users have resorted to creating their own fixes as they’ve encountered Microsoft’s to be problematic
By Zach Marzouk
-
Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts
News For now, it appears that administrators will have to manually recreate their shortcuts once the issue has been fixed
By Zach Marzouk
-
IBM LinuxONE for dummies
Whitepaper Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation
By ITPro
-
Windows 10 users encounter ‘blue screen of death’ after latest Patch Tuesday update
News Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
By Ross Kelly