TLDR:
1. hacker got your email login info & signed into his/her device.
2. you change password and sign out everywhere.
3. hacker still receives your emails, including new ones.


I just found out this Microsoft Outlook email security risk. you can't fully "sign out everywhere else". if someone have signed in your email on his/her devices, you are basically phucked forever.

this is how you can test/reproduce:

1. install outlook app on your phone (I'm on Android) and sign in. mail is now downloaded into the phone.

2. open web browser, go to outlook website, sign in.

3. in outlook web, go to your security settings and "sign out everywhere".

4. wait for 24 hours (that's what Ms said). I've tried checking new emails in the mobile app within 6 hours and everything still works like normal (not being signed out yet ).

5. after 24 hours, check outlook app again. it will tell you to sign in (this is actually false hope by Ms). of course, you can still view previously cached email. I wonder how many mails are downloaded by default.

6. on the outlook web, send a mail to yourself.

7. outlook app (despite already "signed out") will receive this new mail, and you get notification popup. this popup shows the sender name, the email title, and short part of the content. this is the phuck up part.

many websites login send a 2FA code to email. some have titles like "Use code 123456 for website XX". this is just plain stupid.

is there any sysadmin or email expert here who can confirm when will the outlook app fully disconnect from the server (therefore stop receiving new email)?


inb4 use 2FA TOTP via authenticator app but that is different discussion.
inb4 old story but never fixed:
https://learn.microsoft.com/en-us/answers/q...tions-despite-s

This post has been edited by Skylinestar: Today, 08:29 AM