Alert essentials:

In early 2025, Microsoft plans to migrate business customers from classic Outlook to the new Outlook app. The update will be automatic unless administrators use a registry key to prevent installation.

 

Email Team


Detailed threat description:

The new Outlook has been generally available since August 2024 and will become Microsoft’s standard mail application. Windows builds after 23H2 have the new Outlook app preinstalled. Interested Microsoft Users can switch to the new Outlook from the Mail and Calendar apps included with Windows.

Support for Windows Mail and Calendar ends on December 31, 2024. However, if administrators prevent the upcoming migration, corporate customers can continue to work with supported classic Outlook until 2029.

The new Outlook is more like a web-based app in terms of operation and interface. Still, some have reported struggles with the new application. The user interface of the new Outlook is based on WebView2, meaning the Outlook website runs in a native Windows window.

Some users have reported a cluttered and inefficient user experience. The app is reportedly slower than the classic version and has annoying advertisements, some disguised as emails.

Yet the new application offers a consistent user experience across desktop, web, and mobile platforms. The intended experience is for users to switch between devices more efficiently without relearning navigation.

The app enhances productivity with deep integrations of Microsoft 365 services like Teams, Word, Excel, and OneDrive. It offers a clean, modern interface that improves usability by providing users access to files, meeting schedules, and collaborations.

Microsoft’s Copilot AI assists with composing emails and scheduling tasks if certain subscriptions have been purchased. Advanced phishing protection and end-to-end encryption have been added to help keep sensitive information safe. Users can personalize their inbox layout, swipe gestures, and notification settings for a tailored experience.

The switch to the new Outlook is meant to streamline user engagement and share in the advancements of the improved application. Organizations using classic Outlook on the Current Channel with a Business Standard or Premium license will be transitioned from classic Outlook for Windows to the new Outlook for Windows beginning January 6, 2025.

While a return is possible, it has already been announced that another “forced switch” could occur at any time.

If you’re already receiving automatic Office updates, nothing needs to be done. The new Outlook for Windows app will automatically download and install on your device.

You can switch back to classic Outlook using the toggle in the new Outlook. If you prefer not to utilize the new Outlook on the organization’s devices, it can be removed after it’s installed as part of the update. You can also uninstall Mail and calendar apps from devices before Microsoft rolls out the new Outlook next month.

An alternative to Outlook is Mozilla Thunderbird, a free, open-source email client for Windows, macOS, and Linux. It manages multiple email accounts and organizes emails with tags and labels. End-to-end encryption with S/MIME or PGP through extensions is supported. The email client features advanced phishing protection and avoids intrusive data collection, making it worth considering.


Impacts on healthcare organizations:

Switching email clients in a hospital setting can significantly affect operations, affecting efficiency, security, and compliance. If the new client is less reliable or prone to outages, it could disrupt critical communications.

Therefore, testing is vital to deploying and incorporating new technologies before integrating the software into user environments.

If executed well, switching email clients can streamline operations, but accidental application replacement can lead to significant disruptions and risks in a healthcare environment.

 

Affected Products / Versions:

Reference MessageID MC926895 in the Microsoft 365 admin center for information on changes in the migration from classic Outlook to the Outlook app.


Recommendations

Engineering recommendations:

  • Disable the user setting for automatic migration to prevent users from being switched to the new Outlook
  • A more granular control can be offered using OWA Mailbox Policies with the parameter ConditionalAccessPolicy
    • Example: when users are on noncompliant devices, OWA mailbox policies, such as restricting attachments, limit their capabilities
  • Prevent mailbox access from the new Outlook, regardless of how users acquired it
    • Use an Exchange mailbox policy to block organization (work or school) mailboxes from being added to the app

Leadership/ Program recommendations:

  • To use the Outlook for Windows desktop app (either the classic or new version) with a Microsoft 365 organizational email address, you need to purchase a plan that includes the desktop versions of the Microsoft 365 apps
  • If you have a Business Standard account (or any account that includes a license for desktop apps) added to Outlook, that license will apply
  • You can add any secondary email accounts regardless of licensing status (e.g., Business Basic)

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: