News: 1722946690

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Users call on Microsoft to update Outlook's friendly name feature

(2024/08/06)


Users are urging Microsoft to rethink how it shows sender email addresses in Outlook because phishing criminals are taking advantage, using helpful, friendly names to serve up emails loaded with malicious intent.

The problem has been rumbling for a while, attracting more than 100 votes in Microsoft's support forums. It isn't a bug per se but a "feature" that vexes administrators and allows scammers to sneak past a line of defense – the user.

The problem is connected to how a list of emails is displayed. Outlook will helpfully show the friendly name if it can rather than the actual address of the sender. In some service iterations, hovering over the name will show the actual address, but in others, a user must open the email to see the relevant information.

[1]

The opportunities for scammers and phishing attacks are clear. An email might seem legitimate in a user's inbox, and that same user might, therefore, click a malicious link after opening it.

[2]

[3]

The original poster [4]wrote : "We have had multiple issues with both my current and previous employer where busy staff have responded to an email appearing to be from a colleague, only to realize too late that it's a blindingly obvious hoax (sender email is different).

"These are very intelligent, tech-savvy people, and they don't need unhelpful advice to 'check more carefully' - the point is they are busy and stressed, and it's easy to make mistakes.

[5]

"We want to just disable any sender aliases, full stop. We don't need them. We know the people we email. We can recognize their emails. For us, the alias / name override adds nothing of any value, it's just a security risk."

There [6]are ways of forcing older versions of Outlook to show an email sender's actual address in the list, but this is not a particularly practical approach. For context, Microsoft is not the only offender when it comes to being profoundly unhelpful in its attempts to make life easier for users. It is, however, a vendor with a productivity suite that is hugely popular in enterprises.

It is also a vendor not slow to [7]boast about its security prowess , despite what [8]some authorities might think .

[9]

Another user commented on the support forum: "It just defies belief that in 2024 Microsoft are [sic] leaving the door wide open to cyber criminals on what is such a well-known issue with such a simple fix. We are spending all this money on Defender products in Azure to mitigate phishing attacks, but the most significant risk (by far) is this one.

[10]Microsoft is a national security threat, says ex-White House cyber policy director

[11]Elon Musk is suing OpenAI again, claims CEO Sam Altman ‘betrayed’ him

[12]Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

[13]CrowdStrike unhappy about Delta's 'litigation threat,' claims airline refused 'free on-site help'

"This must be one of the most common and most under-reported attack methods. Such an easy fix to make. If not by default, at least make it a practical option to disable. Microsoft, please fix this. It doesn't just financially impact companies, it has a devastating impact on the mental health of people all over the world."

A Register reader got in touch and said, "Effectively they do not allow enterprises to display the true email if an alias or friendly name exists, locking us into a format that phones don't use. I have contacted our Microsoft reseller and even they say that it's bad but that Microsoft won't listen to them."

El Reg contacted Microsoft to see if plans were afoot to add a setting to show the actual email address of a sender and we will update this article if and when the company responds. ®

Get our [14]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrJIouw@hKS-jz6zf6u3vwAAABQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrJIouw@hKS-jz6zf6u3vwAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrJIouw@hKS-jz6zf6u3vwAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://feedbackportal.microsoft.com/feedback/idea/6f783689-929d-ee11-92bd-0022484eec36

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrJIouw@hKS-jz6zf6u3vwAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.espacecode.com/en/how-to/spam-prevention-in-outlook-display-the-sender-s-email-address

[7] https://www.microsoft.com/en-us/security/blog/

[8] https://www.theregister.com/2024/04/21/microsoft_national_security_risk/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrJIouw@hKS-jz6zf6u3vwAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://www.theregister.com/2024/04/21/microsoft_national_security_risk/

[11] https://www.theregister.com/2024/08/05/musk_new_lawsuit_openai/

[12] https://www.theregister.com/2024/08/05/snakekeylogger_malware_windows/

[13] https://www.theregister.com/2024/08/05/crowdstrike_is_not_at_all/

[14] https://whitepapers.theregister.com/



Headers anyone

DwarfPants

Whilst they are at it make it possible to see the headers without doing a jig and sacrificing our first born. To be fair Microsoft are better than others in this area Google mail on phones I am thinking of you.

Re: Headers anyone

captain veg

Headers, yes, but I'd rather have the full original plain text source document. Like you get in Evolution by pressing Ctrl+U. Fortunately I was able to get Evolution to interact with our tenanted O365 Exchange thing and so avoid Outlook altogether.

-A.

"more than 100 votes"

Pascal Monett

That's all ?

And they expect Redmond to act on that pitifully small amount of user pressure ?

Gosh, with the millions upon millions of people who use Outlook, not to mention the tens of millions in a business environment, you'd think that, if there were a problem all those users were all uppity about, there'd be a smidgen more than 100 votes to make a change.

No wonder nothing changes . . .

Re: "more than 100 votes"

Anonymous Coward

Depends. Actual end users won’t upvote this since they probably don’t know where to find it. Any of those votes might be of an admin that represent 100, 1000, or 100000 end users. End users might even *dislike* the change, especially the ones in marketing departments.

But Outlook isn’t the only mail client that just uses a “friendly name”, I’d prefer it if any and all mail clients just went back to showing the full sender email address in the from field. With the reply-to as an extra field. And maybe a blue or otherwise coloured check to show that the sender has passed strict spf validation (-all, not ?all). I’d prefer blocking most, that can’t even do that, but apparently that’s quite a lot of our customers and suppliers…

Re: "more than 100 votes"

sev.monster

User Voice (the old forum that Microsoft shut down and wiped without migrating all the questions over) saw interactions in the hundreds and maybe thousands, and the new MS developed platform sees a bit less. These are expected numbers, and honestly I wouldn't be surprised if Microsoft ranks request popularity by "number of users each vote's admin represents in Entra ID". Which would quickly spiral into the hundreds of thousands if not millions.

There aren't a lot of votes but the votes that are there are massively important. But even with that pressure, Microsoft's track record includes more postponing and hand-waving than it does actual fixes. Guess they don't care if joeschmoe.onmicrosoft.com closes shop and dumps 10k users onto an internal Nextcloud instance instead.

[External]

lafnlab

Where I work, all emails that originate outside our domain are flagged with [External] in front of the Subject line and we also see a header that warns that the email isn't from someone with our organization. We use Microsoft 365 and I think it's something the mail admins were able to turn on.

Re: [External]

AMBxx

That's not what they're talking about. If you were my customer, I could legitimately email you. It would be flagged as external, correctly. However, someone else could use the same alias with an outlook.com or other free email service. How would you know the difference?

Re: [External]

katrinab

And where I work, there's people from two different companies working in the same office. People who email from the other company show as "external", even though some of them work in one of the two departments I manage.

Re: [External]

sev.monster

Your email team(s) can definitely fix that. Sounds like they can't be arsed or don't know how.

From bitter experience, MS hates admins.

Anonymous Coward

I have a shopping list of MS "features" that are effectively blocks on estate admins being able to ... well admin.

The worst was working for an education provider who mandated Teams calls used backgrounds so tutors could not see peoples houses.

Now you would *think* that you could find an option in the bowels of O365 admin to mandate that for all users.

Nope. And it's not an accident. MS just don't want admins setting policies. Because I suspect the very first thing the polices would do is block ads, and MS crap.

Re: From bitter experience, MS hates admins.

stungebag

Don't think I've ever seen an ad where a backgrounf could be in Teams.

NO! User's heads will explode from complexity if they are shown an email address.

anderlan

It's only been 40 years since email became widely used and a scant 30 years since email addresses have become a concept known in even the tiniest village! THINK ABOUT THE PHBs! Won't someone think about the PHBs!?!?!?

Doctor Syntax

SeaMonkey and, presumably Thunderbird shows the "friendly" version when listing (it saves column width which is reasonable) and possibly at the head of the view pane depending on the window size, it always displays the full address when replying. Doesn't Outlook do the same or is it too much trouble to glance at that to check just who it is you're writing to?

Snake

Thunderbird definitely shows the "friendly" version, which is indeed irritating when you need to discern who exactly the sender was.

This entire problem could be solved with a pointer hover feature that pops up the full sender address, no other dramatic change to the UI will be necessary.

Why isn't it possible for users to switch off/on this feature?

t245t

Why isn't it possible for users to switch off/on this feature?

$stty -echo ..

The Olden Days

Dennis_the_performance_dork

I have a solution to kill all phishing attacks. . . we go back to Pine or Elm from the command prompt. Maybe even just cat out your /var/mail/spool directly.

Got a link? Sure, it'll just show up as text you can't do anything with until you copy/paste it elsewhere. Embedded MIME items, nope. Sneaky "Friendly" names, nope. Tracking cookies, HA!

The quest to make things easy has made things unsafe. Microsoft, Google, Apple, et al are all trying to make us sleepy mouth breathers who don't know what we're doing and don't need to because they've given us AI assistants and simple UI and happy starshine friendly magic -- unfortunately magic that doesn't work and often backfires.

Write a powershell command

yetanotheraoc

The enterprising enterprise can just update the global address book so the value of the Friendly Name (whatever the Exchange fieldname is internally) is the same as the Email Address. Presto! Now if you receive an email with a friendly-looking name, it's external and/or phishing! If you must have a friendly name, repurpose another field or use one of the custom fields.

Repurposing fields is the time-honoured way of working around brain-dead (non-)functionality in an application. For example, iOS Contacts doesn't have categories. So in Google Contacts I create a Profile field with the group name at the end of the (spoofed) url, this shows up in the url section of iOS Contacts and is searchable.

Come live with me and be my love,
And we will some new pleasures prove
Of golden sands and crystal brooks
With silken lines, and silver hooks.
There's nothing that I wouldn't do
If you would be my POSSLQ.

You live with me, and I with you,
And you will be my POSSLQ.
I'll be your friend and so much more;
That's what a POSSLQ is for.

And everything we will confess;
Yes, even to the IRS.
Some day on what we both may earn,
Perhaps we'll file a joint return.
You'll share my pad, my taxes, joint;
You'll share my life - up to a point!
And that you'll be so glad to do,
Because you'll be my POSSLQ.