Office365 authentication is broken and insecure
Authentication on Office 365 email services is pretty broken and provides inadvertent account information at the moment.
If you try to login via IMAP to outlook.office365.com with an email client using a username and password combination, their reply is based on the existence of the username. They are ignoring the password.
They reply with
OK LOGIN completed if the username exists.
They reply with
NO LOGIN failed if the username does not exist.
This is regardless of whether the password is correct or not.
If you have the correct username and password, after you login, you are able to execute IMAP commands.
If you have the correct username and the incorrect password, you will get the following error when you execute any subsequent IMAP command:
User is authenticated but not connected.
This bug breaks the feedback on every client’s authentication mechanism. Try typing the right username and the wrong password and see your client assume everything is just fine. You won’t find out that anything is wrong until you discover that you aren’t getting your email. And this is not the worst.
The security hole here is that at the moment every hacker on earth can go to outlook.office365.com via IMAP and check to see which email addresses are being served there. They give you the
OK LOGIN completed when the username is correct and
NO LOGIN failed when it is incorrect.
This is a public request for Microsoft to please fix this bug. We have failed to get them interested in fixing it by the normal channels.