Hotmail (and Outlook.com) became a public health hazard
It's a phishing paradise right now.
The year is 2002. On the charts? Nickelback. The computer? a Pentium 166 MMX. The email provider? Hotmail. 20 years later and the service is still going, even after getting acquired by Microsoft in 1997, one year after it was created. Microsoft doesn’t say exact numbers, but back in 2013 they migrated 300 million Hotmail accounts when moving the service to the new Outlook.com infrastructure. We can imagine a good percentage of those still has an active account.
Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support this publication.
To add to the party, this migration gave users the possibility to keep their Hotmail together with an @outlook.com email. Now you could manage multiple accounts on the same inbox. Neat.
It gets the job done, but it’s full of Spam
The integration of Hotmail into Outlook.com brought a deserved modernity to the service. The better user interface was the strongest point but this was unfortunately eclipsed by a growing problem: the amount of Spam in my inbox.
If you, like me, have configured a mail server, you would know how strict Hotmail / Outlook is with emails reaching the inbox. Yet, spam kept flocking into my inbox. This was strange.
Doing a quick search for “Hotmail / Outlook spam” and we find millions of threads and blog posts talking about this. There’s even a guide on how to read Outlook emails on Gmail, so users can benefit from Google’s email filtering. It also seems like it became a lot worse since 2020 and thinking back, this is something that I agree with. In 2021, there are users reporting 5-10 spammy emails per minute.
It’s clear there’s a problem here, and the Microsoft team seems hopeless:
Not the typical Nigerian prince
The issue with Spam in Outlook.com is its nature: they are almost all Phishing emails. If we were talking about small phishing schemes for local banks, I could understand the filter missing them. The problem is the multitude of Phishing emails I get from well-known services such as Apple, Amazon or PayPal. These services have known servers with proper DMARC and SPF records. Letting these emails pass is plain dangerous.
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware.
If there are many reports of Information Security professionals falling into phishing traps, you can imagine how hard it is to the elder or less tech-savvy people. The case gets even more flagrant when we see the type of emails passing through the filters. What an iCloud account verification email? Here it is:
Maybe a PayPal account limitation phishing email? we got you.
Amazon account verification? also on the list:
It’s important to highlight that all these emails reached my inbox. A couple of months ago, even an email trying to impersonate a Microsoft account verification reached my inbox. That’s right: Microsoft delivered a message spoofing their own servers. It reached to the point where some users are reporting Spam filters not working at all.
Taking responsibility and killing projects
Google has been accused of killing projects like no other company, to a point where there is even a graveyard for it. Killing projects that are used by some is definitely frustrating, but on the other hand, Google never has to deal with improving products, maintaining infrastructures or customer support. If it doesn’t add value, they kill it. If it doesn’t delivery the needed quality, they kill it.
When a service is used by millions of people there’s a certain responsibility that comes with it. This is even more true when dealing with less tech-savvy users and from a company like Microsoft whose systems come integrated when you buy a new PC. Allowing these same users to be dangerously exposed to Scams that can deplete their bank accounts and maybe ruin their lives is irresponsible, to say the least. How hard can it be to fix this?
20 years later, the best I can do is to finally close my account and tell my mom and dad to do the same. For now Gmail will have to do. At least I can sleep better at night.