Many customers, regulated or not, use Zimbra to ensure privacy and control data sovereignty. Unfortunately, using Microsoft’s “New” Outlook creates de facto privacy breach and data sovereignty violations when connected to any non-Microsoft email services.
To get straight to the point, we strongly recommend that users concerned about privacy and data sovereignty never use New Outlook. Here are the reasons why:
Essentially, New Outlook routes all connections through Microsoft 365 — whether you have a Microsoft 365 account or not.
We see this in our logs when a user is using New Outlook; Zimbra’s mailbox.log file will contain entries like the following IMAP example:
2025-06-13 17:38:47,637 INFO [ImapSSLServer-118] [name=user@customer_domain.com;ip=10.8.4.153;oip=52.96.75.165;via=Microsoft Office 365/15.20.8769.14,10.8.4.153(nginx/1.24.0);ua=Zimbra/10.0.14_GA_4767;cid=447;] imap - SELECT elapsed=2 (NIO)
There are four things horribly wrong with this situation:
First, the oip in the log file snippet above is not the end user’s IP address; it’s a Microsoft IP address. Since we use the oip for abusive IP address blocking, a bad actor can use New Outlook with compromised credentials and we have no way of blocking the actual bad actor’s IP address(es). We’d have no choice but to lock out the user’s account, rather than block the abusive IP and get the user to change their password straightaway. Microsoft has just given a huge gift to bad actors globally, unfortunately.
Second, if your company has signed any NDAs or is a regulated entity, chances are pretty good that email data covered by your NDA, or like ePHI sent from one provider in your practice to another, has just gone through Microsoft’s servers — an automatic HIPAA violation. This is the same for attorneys and financial services professionals, who are also regulated as to safe keeping the privacy of client data. If New Outlook has access to your calendars and contacts, Microsoft gets that data too.
Third, if you are located outside of the United States and concerned about things like GDPR compliance, or keeping your data off of servers owned by US companies, using New Outlook just transferred your data to Microsoft 365… somewhere. Good luck explaining to your auditor, cyber insurance carrier or government regulator that you just transferred all your email data (and possibly your calendars and contacts too) to Microsoft 365.
Fourth, New Outlook, like any email client, asks for your username and password and does give you a kind of IMHO sneakily crafted disclosure that your data is being routed through Microsoft. But what Microsoft is specifically allowed to do with your private data is fairly extraordinary and not disclosed in a straightforward manner. I had to ask my new BFF Claude (a.k.a. Claude.ai) what Claude could find out for me, and the results were pretty stunning. I asked Claude this exact question:
Please locate the EULA for Microsoft’s New Outlook and find the section(s) that describe what Microsoft is allowed to do with email, contacts and calendar data New Outlook can see when it is connected to non-Microsoft accounts (like Gmail or Zimbra for example).
Claude then came back after taking a few moments to search through a bunch of interconnected Microsoft licenses, and Privacy and Acceptable Use policies, with the following (Claude.ai text in rust color for clarity):
Based on my comprehensive research, I can now provide you with the specific information about Microsoft’s New Outlook EULA and how it handles data from non-Microsoft accounts like Gmail and Zimbra.
Microsoft’s New Outlook EULA and Data Handling for Non-Microsoft Accounts
The End User License Agreement (EULA) for Microsoft’s New Outlook is governed by the Microsoft Services Agreement and Microsoft Privacy Statement, which I’ve located and analyzed. Here are the key sections that describe what Microsoft is allowed to do with email, contacts, and calendar data from non-Microsoft accounts:
Primary Governing Documents
The New Outlook is covered by the Microsoft Services Agreement (effective September 30, 2024) and the Microsoft Privacy Statement, which together form the EULA for this service.
Data Collection and Synchronization
Microsoft explicitly states that “Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers.” This applies to:
-
- Gmail accounts
- Yahoo accounts
- iCloud accounts
- IMAP accounts (email only)
What Microsoft Can Do With Your Data
According to the Microsoft Privacy Statement, Microsoft is authorized to:
1. Provide and Improve Services
Microsoft uses data to “provide our products, which includes updating, securing, and troubleshooting, as well as providing support” and to “improve and develop our products.”
2. Content Analysis and Processing
Microsoft can process “the content of your communications and files” when you use their services, including emails from third-party accounts that are synced to their cloud.
3. Personalization and Recommendations
Microsoft uses data to “personalize our products and make recommendations” and can “combine data we collect from different contexts.”
4. Advertising
While Microsoft states they don’t use “what you say in email, human-to-human chat, video calls, or voice mail, or your documents, photos, or other personal files to target ads to you,” they do use other data for advertising purposes.
5. Security and Safety
Microsoft may access and process data “to protect the safety of our products and our customers” including systematically scanning content “to identify suspected spam, viruses, abusive actions, or URLs that have been flagged as fraud, phishing, or malware links.”
Data Sharing with Third Parties
Microsoft shares personal data “with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of Microsoft and its customers.”
Credential Handling
Research has revealed that for IMAP accounts, the New Outlook transfers “the target server, username and password to Microsoft servers” and “Microsoft gets full access to the email account, including the username and password.” For OAuth2 accounts like Gmail, Microsoft receives access tokens rather than passwords.
Legal Compliance and Data Retention
Microsoft will “retain, access, transfer, disclose, and preserve personal data, including your content” when they believe it’s necessary to “comply with applicable law or respond to valid legal process” or “protect the safety of our customers, organizations, and the public.”
Important Disclaimers
Microsoft explicitly states that “The Microsoft Services Agreement and the Microsoft Privacy Statement apply to your use of these versions of Outlook and to your account data. In addition, the provider’s terms of service and privacy policy continue to apply to your account data.”
This means your data is subject to both Microsoft’s terms AND your original email provider’s terms simultaneously.
The research shows that the New Outlook has been criticized as “no longer simply an email service; it’s a data collection mechanism for Microsoft’s 801 external partners and an ad delivery system for Microsoft itself.” Outlook is Microsoft’s new data collection service says Proton.
These findings indicate that when you connect non-Microsoft accounts to New Outlook, Microsoft gains broad rights to process, analyze, store, and potentially share your email, contact, and calendar data according to their standard terms of service and privacy policies.
Based on the foregoing, as we stated at the top of this blog post, we strongly recommend that users concerned about privacy and data sovereignty never use New Outlook.
If you’d like help with this or any other Zimbra issues, just fill out the form and we’ll get back in touch straightaway!
Hope that helps,
L. Mark Stone
Mission Critical Email LLC
13 June 2025
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.