My employer is using outlook.office365.com as email server. I used to access my work emails with Thunderbird via IMAP. This worked for many years, including the use of 2F… (pročitajte više)
My employer is using outlook.office365.com as email server. I used to access my work emails with Thunderbird via IMAP. This worked for many years, including the use of 2FA, until my employer has disabled Thunderbird access. Their reasoning for blocking Thunderbird is provided below. In short, Thunderbird does not comply with GDPR and therefore there is a risk that my work related data ends up in third-party hands.
My question: Is there indeed such a risk? Has anybody heard of similar cases? It would mean that Thunderbird can't be used in professional environments.
The way you log in via Thunderbird is through a so-called enterprise application at Microsoft and that is the problem. Basically, the enterprise application asks for a lot of rights - in your case, Thunderbird's need for access to read all your emails. It's not possible for us to see how an application like Thunderbird accesses and processes your data - in theory, they can just harvest all your data, and that's what we have to deal with. So there is one GDPR aspect we need to take into account: ensuring that our data does not end up with third parties unless there is a data processing agreement in place. You can read a little more about the principles of how a third party will access data via a CBS/Microsoft account here if you want to dive a little deeper: https://www.varonis.com/blog/using-malicious-azure-apps-to-infiltrate-a-microsoft-365-tenant The article is heavily biased towards decidedly malignant enterprise applications, but the approach will be the same.
The challenge is not so much with the Thunderbird application you have installed, but rather the way it logs in via the so-called enterprise application at Microsoft. Here it is not possible for us to see how the enterprise application uses the data it has access to. It's a bit like installing an app on your phone that asks for access rights to everything. It may not use the rights, but it's not something you can be sure of.