Privacy News

New Outlook's security issues: Businesses should avoid switching!

The new Outlook for Windows is a security nightmare and does not respect data protection rules that businesses need to comply with.

The new Outlook has built-in security issues: It shares users' passwords and mailbox contents to the Microsoft cloud servers. Businesses must not switch!

Microsoft's "new Outlook" (introduced in 2022) has been promoted as an upgrade, but its implementation introduces severe data protection concerns - so severe that it's fair to say it's a downgrade rather than an upgrade. Regardless, Microsoft increasingly pushes personal and business Outlook users to switch to the new Outlook. But IT admins should be warned: If employees press the toggle to switch to the new Outlook, they risk unintentional breaches of data protection laws, as all emails and login credentials are automatically stored on Microsoft’s cloud servers. This poses significant compliance issues, especially for businesses handling sensitive data.

Stop the switch: why companies should avoid the new Outlook

Data protection risks of the new Outlook

Many businesses - small and large - use Outlook for professional emails. And, yes, while it’s important to get a professional email address as a business, Outlook should no longer be the top choice, and the new Outlook is the best proof of that.

The new Outlook fundamentally changes how email communications are handled: When using the standard Outlook, users could connect their mail provider via IMAP directly to the Outlook client - their mail server (be it Gmail, Yahoo, or any other email provider) directly communicated with the locally stored Outlook client. This has changed now. The new Outlook routes all messages through Microsoft’s cloud servers, even when people or businesses use non-Microsoft email accounts. This shift forces all email traffic through Microsoft’s infrastructure.

What makes things worse is that beginning this year users of a Microsoft 365 Business subscription have been gradually forced to switch to the new Outlook (they were not asked to make the switch actively), and from April 2026, subscribers to an Enterprise plan could also be affected as The Spiegel reports.

Ready to share all your emails with Microsoft?

It’s like giving all your letters to a letter delivery agency - without an envelope - for them to post the letters. At the same time, the letter delivery agency receives all your post, opens every letter, and then hands them on to you.

In other words, Microsoft sees all your emails whether you use Gmail, Yahoo or any other email provider with the new Outlook. Additionally, employees’ login credentials are stored in Microsoft’s cloud rather than locally, which dramatically - and unnecessarily! - increases the risk of unauthorized access.

Legal & compliance issues

This approach may also present serious legal compliance issues, not only with internal security regulations within a company, but also with regulations such as the GDPR and HIPAA. By forcing email data and credentials onto Microsoft’s cloud, organizations may inadvertently violate these regulations, leading to potential legal and financial consequences. Traditional Outlook versions allowed users to store emails locally and their passwords were not shared, which offered greater security and control. But this option is no longer available with the new Outlook.

Beyond compliance concerns, the forced reliance on Microsoft’s cloud creates additional risks. Data stored in centralized cloud environments that is not encrypted is more easily accessible to third parties - from government request, to hacking attacks, to leaks and data breaches - there are all kinds of risks. And what makes things worse: [Microsoft is not particularly known for best security standards. Instead, the US government has asked Microsoft to “get its security right” as recently as in October 2024.

When using the new Outlook, critical business and personal communications is placed at the mercy of Microsoft’s infrastructure and policies.

So if you are still unsure if the new Outlook is an option for you, read the following questions. If you can reply “Yes” to all, the new Outlook is made for your. If not, keep reading to learn more about the new Outlook and more secure email alternatives:

  1. Are you okay that all email communication is routed through Microsoft’s servers, giving them full access to email contents?

  2. Are you comfortable with Microsoft storing your login credentials in their cloud?

  3. Are you certain that storing all company emails in Microsoft’s cloud does not violate GDPR, HIPAA, or company-internal data protection regulations your organization must comply with?

  4. Do you trust that no third party like government authorities, or cybercriminals will ever gain unauthorized access to your company’s data stored in Microsoft’s cloud?

If you reply “No” to any of these questions, you and your company should look for better alternatives to the new Outlook. However, if you are still using the classic Outlook, you must first make sure that no employee (accidentally) switches to the new Outlook.

How IT admins can stop employees from switching to the new Outlook

Jeder kann auf das neue Outlook umschalten - es sei denn, der IT-Administrator blendet den Schalter aus. Jeder kann auf das neue Outlook umschalten - es sei denn, der IT-Administrator blendet den Schalter aus.

Everyone is able to switch to the new Outlook - unless the IT admin hides the toggle.

When using the standard Outlook everyone - even employees in a company - can switch to the new Outlook by simply clicking on a little toggle displayed in their Outlook client. Once switched, all data is transferred to the Microsoft cloud - and stays there even if the employee switches back to the classic Outlook version.

And Outlook really wants you to use the switch!

”Toggling is designed to be quick, making it easy to move back and forth as needed. In this stage, we will maintain the ability for users to run both classic and new Outlook side by side, allowing them to compare their experiences while working seamlessly across both products.”

Companies are not that happy about the “easy switch toggle”

The easy option to simply ‘test the new Outlook’ is a severe issue for companies as the switch poses potential security and data protection compliance risks. IT administrators should proactively disable the option for employees to switch to the new Outlook. Here is how:

  1. Disable the migration option via Group Policy Objects (GPO) or Intune policies.

  2. Restrict installation through Windows Defender Application Control (WDAC).

  3. Notify employees to avoid switching manually and educate them on security risks.

  4. Regularly check Microsoft’s update logs to ensure no forced migrations have been implemented.

The new Outlook: no love affair

Since the launch of the new Outlook in 2022, IT admins have asked on Reddit how to “disable/remove this so users don’t have the option to click on it”, and this Reddit user asks the same as “A lot of our employees turn this on, only to be met with a disappointment due to the lack of many features in this new Outlook/Teams version.”

All in all, the new Outlook gets more rejection than love, not just because of missing features, but also due to its security and privacy issues. Even on the Outlook forum comments are quite negative:

gregc471: “Honestly, The new Microsoft Outlook is garbage. No-one I talk to wants this. Did Microsoft do any market research at all before forcing this on customers?”

Gonzer: “Woah, Outlook new is a disaster! … I cannot revert to the old Outlook - low resources on a new Dell laptop, it says.”

Keith7465: “I believe the direction the product is taking is driven primarily by Microsoft, and the desire to increase cloud revenue. Big customers will have a say, but it’s secondary, and as long as they don’t get something unusable then they will be OK.”

Forced “upgrade” in 2029?

So what should you do if you absolutely do not want to switch to the new Outlook? For now, you can save yourself and your colleagues by disabling the switch toggle in the standard Outlook version as explained above. However, this is buys you only a little bit of time.

Outlook states that they will only “honor published support timelines for existing version of classic Outlook for Windows until at least 2029.” This means support for classic Outlook will cease in 2029 so eventually, you are going to be forced to switch.

In addition, if you switch by accident before 2029 - there is no going back: “In the cutover stage, the ability to switch back to classic Outlook will no longer be available to users. New deployments of Outlook from Microsoft 365 subscriptions will feature new Outlook for Windows [only].”

Switch now so you can’t be forced to switch!

So if you have to switch anyway, why not do it right?

A secure alternative to the new Outlook is Tuta Mail, which provides built-in quantum-safe end-to-end encryption to protect your business communication.

There are a few things that Tuta does much better than Outlook, but for a more detailed picture, do check out our comparison of Outlook vs Tuta Mail.

  • End-to-End encryption of all data: Ensures that only the sender and recipient can read emails. Unlike Microsoft’s cloud-based processing of emails and passwords, Tuta puts your security first.

  • Quantum-safe security: Future-proof, hybrid encryption protocol to safeguard data against emerging quantum computing threats.

  • Zero-knowledge architecture: Tuta Mail cannot access user emails, ensuring full data privacy.

  • GDPR-compliant email: Data remains private and is never stored or processed in third-party clouds without consent.

  • No Tracking, No Ads: Microsoft collects user data for targeted advertising; Tuta Mail does not track users or serve ads.

For private users: stop using the new Outlook

Private users should also be aware that their emails and login details are automatically stored in Microsoft’s cloud when using the new Outlook. If you prioritize your privacy, consider switching to a secure alternative like Tuta Mail.

The new Outlook for individuals presents the same privacy concerns as for businesses: Every email sent or received is automatically stored on Microsoft servers, making it vulnerable to potential breaches or unauthorized access. While Microsoft claims not to scan emails for targeted ads, it still collects metadata and usage patterns, which can be used for profiling. In addition, Outlook focuses more and more on business customers, for instance custom domains in Outlook are no longer supported for private customers. Plus, the lack of end-to-end encryption for personal users means that emails remain accessible to Microsoft employees and potential third parties. Sending secure, encrypted emails in Outlook is reserved for business users and even password-protected emails in Outlook are not end-to-end encrypted — Microsoft still has access to the content of these emails while password-protected emails in Tuta are end-to-end encrypted, and even available to users in the free version.

Tuta Mail, on the other hand, offers a privacy-focused alternative that eliminates these risks. Unlike Microsoft, Tuta Mail does not mine user data, and guarantees your information remains private. Every email can be sent end-to-end encrypted, meaning only the intended recipient can read its contents. And when an email is password-protected in Tuta, it is truly confidential: Tuta Mail’s encryption ensures that no one - not even we as the provider - can access it. Additionally, Tuta Mail does not track users or display ads, as its funding comes from subscriptions rather than data exploitation. It is available across multiple platforms, including Windows, macOS, and Linux via its free email desktop clients as well as iOS, and Android, ensuring seamless accessibility. Finally, as an open-source email service, Tuta Mail provides full transparency, guaranteeing that no hidden backdoors compromise user security.

Don’t wait for 2029! Secure your emails today!

  1. Uninstall the new Outlook and delete your Outlook acount

  2. Switch to a secure email provider like Tuta Mail

  3. Import all your emails to Tuta Mail

  4. Enable two-factor authentication

Companies and private users should avoid the new Outlook due to its severe privacy risks. IT admins must take immediate steps to disable the “easy-switch toggle” implemented by Microsoft to push the new Outlook onto their customers. Secure alternatives like Tuta Mail provide a reliable, privacy-focused email solution that ensures data integrity and confidentiality.

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.