Bottom line: Outlook transmitted authentication credentials unencrypted to e-mail servers for years while the user interface displayed SSL/TLS as active.
A Fedora update revealed a security vulnerability in Outlook that enabled the transmission of passwords in plain text to e-mail servers despite SSL/TLS encryption being enabled. This affected users over multiple years.
In various Outlook configurations, authentication credentials were found to be transmitted unencrypted to the e-mail server despite active SSL/TLS encryption. The security vulnerability remained undiscovered for years because Outlook superficially presented the setting as protected while the technical implementation was faulty.
The Fedora update led to the discovery because the Linux distribution apparently enforced stricter encryption requirements or made the error in Microsoft’s implementation visible. This is a classic example of a trust breach between user expectation and actual security implementation in the authenticator protocol.
For CISOs, this is relevant information for auditing historical Outlook deployments in their own environment, particularly when legacy configurations with manual server settings were used. An audit of internal authentication traffic and a reassessment of potentially compromised credentials are required.
Source: www.golem.de · Published June 5, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.