Background: Many of my users use smartphones, mostly iPhones to access their in-house MS-Exchange mail accounts via ActiveSync. After the recent security problems with iOS older than 13.5, we had recommended everybody to disable the native iPhone mail app. As a replacement we suggested the Microsoft Outlook App.
Once iOS 13.5 came out, we also suggested to switch back to the native App and uninstall the MS App.
In parallel, we had been observing a significant and growing load on our Exchange and fast growth of transaction logs between daily backups (which clean the logs). It did not get better by itself within a few days and the danger became imminent that our disks cannot hold the log volume of two days so that we'd be doomed if ever a daily backup should fail.
Consequently, we took measures for a more detailed analysis. The culprit were tons of ActiveSync hits, sometimes several thousand per user per day. But there was a correlation: All users with enormous hit counts came in with Outlook-iOS-Android/1.0 as user agent.
This was not that surprising during our first analysis when "everybody" used that App. However, after several users had switched back, the situation remained the same.
Those using the native iPhone App (again) caused signifcantly (i.e., by an order of magnitude) less load and log volume.
Hence we mailed affected users to more urgently switch back to the native App, and already a few of them doing so gave immediate relief - enough for us to no longer worry about the system stability. It was clear that not everybody would switch immediately and also that a handful would certainly completely ignore our demands.
But we were surprised when one user reported to have switched back and yet he still occurred as Outlook-App user (as well as with a different device id with native app). We asked the user specifically whether he had another (private) device active. He denied; the only way he'd ever access mail from his private phone would be ad hoc via browser and Outlook Web Access, and that very rarely as he usually has his office phone with him. With this information, the load of Outlook-App accesses under his account count as suspicious.
I investigated further and found out that these accesses also came from suspicious IP addresses. While other ActiveSync accesses originate from regional (here: German) phone provider ip ranges, those Outlook-App accesses originate from 52.97.x.x, which according to whois belongs to MicroSoft. While this is at least not some obvious Chinese/Russian hacker ip range, this still does not look comforting to me.
Q1: Is it normal that
Outlook-iOS-Android/1.0takes a detour across Microsoft's net range? I'd be happier if mails could only be read by those allowed to do so and not (at least possibly) also by some proxy possibly under US control. I may then even have to completely disallow the use of that App under GDPR.Q2: Is it normal that
Outlook-iOS-Android/1.0causes such an enormous load? As far as I can tell, the client does not even have any configuration option that would allow the user to request a sync every 30 second, say.Q3: Is it normal that
Outlook-iOS-Android/1.0(or said proxy) still causes load after it is no longer installed on any device of the user?
Since uninstalling for some users did reduce load, Q3 is what surprises me most (whereas Q1 is what worries me most and Q2 is what confuses me most).
Q4: What should I do? I am close to blocking the MS network range for incoming requests on port 443 at the firewall ...
