> Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account?

Not just an “outlook account” - any account in outlook, with default settings at least.

I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).

> but this feels like it breaks all sorts of security/privacy expectations.

It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.

The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.

Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.

Not just that, the new outlook app makes Microsoft a complete man-in-the-middle for your email account.

https://www.xda-developers.com/privacy-implications-new-micr...

It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending.

Most likely, and nobody cares.

Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there.

The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail.

I think the curl -u switch just requires the password field to be filled, there obviously isn't a legit user account [email protected] with a password of password either at microsoft or at the Japanese imap server.

I think outlook is pretty much a saas product these days.

Yeah since the Windows 11 2023h2 update.

Always has been.