Users are urging Microsoft to rethink how it shows sender email addresses in Outlook because phishing criminals are taking advantage, using helpful, friendly names to serve up emails loaded with malicious intent.
The problem has been rumbling for a while, attracting more than 100 votes in Microsoft's support forums. It isn't a bug per se but a "feature" that vexes administrators and allows scammers to sneak past a line of defense – the user.
The problem is connected to how a list of emails is displayed. Outlook will helpfully show the friendly name if it can rather than the actual address of the sender. In some service iterations, hovering over the name will show the actual address, but in others, a user must open the email to see the relevant information.
The opportunities for scammers and phishing attacks are clear. An email might seem legitimate in a user's inbox, and that same user might, therefore, click a malicious link after opening it.
The original poster wrote: "We have had multiple issues with both my current and previous employer where busy staff have responded to an email appearing to be from a colleague, only to realize too late that it's a blindingly obvious hoax (sender email is different).
"These are very intelligent, tech-savvy people, and they don't need unhelpful advice to 'check more carefully' - the point is they are busy and stressed, and it's easy to make mistakes.
"We want to just disable any sender aliases, full stop. We don't need them. We know the people we email. We can recognize their emails. For us, the alias / name override adds nothing of any value, it's just a security risk."
There are ways of forcing older versions of Outlook to show an email sender's actual address in the list, but this is not a particularly practical approach. For context, Microsoft is not the only offender when it comes to being profoundly unhelpful in its attempts to make life easier for users. It is, however, a vendor with a productivity suite that is hugely popular in enterprises.
It is also a vendor not slow to boast about its security prowess, despite what some authorities might think.
Another user commented on the support forum: "It just defies belief that in 2024 Microsoft are [sic] leaving the door wide open to cyber criminals on what is such a well-known issue with such a simple fix. We are spending all this money on Defender products in Azure to mitigate phishing attacks, but the most significant risk (by far) is this one.
- Microsoft is a national security threat, says ex-White House cyber policy director
- Elon Musk is suing OpenAI again, claims CEO Sam Altman ‘betrayed’ him
- Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets
- CrowdStrike unhappy about Delta's 'litigation threat,' claims airline refused 'free on-site help'
"This must be one of the most common and most under-reported attack methods. Such an easy fix to make. If not by default, at least make it a practical option to disable. Microsoft, please fix this. It doesn't just financially impact companies, it has a devastating impact on the mental health of people all over the world."
A Register reader got in touch and said, "Effectively they do not allow enterprises to display the true email if an alias or friendly name exists, locking us into a format that phones don't use. I have contacted our Microsoft reseller and even they say that it's bad but that Microsoft won't listen to them."
El Reg contacted Microsoft to see if plans were afoot to add a setting to show the actual email address of a sender and we will update this article if and when the company responds. ®