Scammers Are Going to Love Windows 8 MailWritten by Casper Manes on December 5, 2012
I’m not sure whether or not you noticed, but Windows 8 is out. It’s out on the desktop, it’s out for tablets, and Microsoft even has its own hardware now in the form of the Windows Surface. With over 40 million licenses of Windows 8 already sold (retail, OEM and corporate), there’s an awful lot of machines out there with the potential to run the Windows 8 version of mail.
While the Mail application makes for a nice experience on the tablet device, and an acceptable one on non-touch devices, in my humble opinion it is NOT ready for prime time. If you’d like to know why, please read on.
This slimmed down, optimized for touch mail client is both really nice, and rather scary. It’s nice in that it really does boil the mail client down to the most rarified form…it’s like the brandy version of Outlook Express’s fine wine. Mail uses the Exchange ActiveSync protocol to connect to Exchange servers, which means that many corporate email admins will be comfortable permitting personally owned devices to connect to the company’s Exchange on-prem or Office 365 email system since they can use EAS to lock down personal devices, and if necessary, remote-wipe them. Of course Mail can also connect to email systems like Hotmail/Outlook.com, Gmail, Yahoo, AOL, or other IMAP email system offering IMAP, but from a corporate perspective it’s going to be Exchange on-prem or Office 365 that will see the most demand.
Mail has some notable limitations that most users will pick up on quickly. The most obvious is that there is no way to print from it directly. Tablet users may not notice or even care, and if they do, they will find themselves in the same situation most iPad users are in. But printing is secondary to my two main concerns.
The first is that there are no junk-mail settings in this client. For an EAS client, built to connect to corporate email systems, it came as a shock to me that while I could see my Junk Mail folder, there was no way I can mark a false positive as from a safe sender, or mark an actual piece of spam in my inbox as junk. There’s no way to block senders or add senders to my safe senders list. Yes, these are features only available in Exchange and O365 when using Outlook or OWA, but remember, who makes both those products and this mail client?
That’s not the worst of it. “Missing” features may come in a future update or service pack, or you may just have to use a full client or OWA to access those settings. Here’s the worst of it.
Consider an email that arrives in an end user’s mailbox. It contains a link, or two, or even ten. Some of those links might be full URLs, others may be just text with a hyperlink. Some may even be buttons or pictures. Whenever you get a suspect mail, what do you do with any of those links to get a better idea of where they go? That’s right, you mouse over them to see what the actual destination looks like. I’m only assuming that it is because Mail was built for touch devices first, Microsoft decided to leave out a mouse-over option. Okay, I get that. However, what they did not include was any kind of safety mechanism. You click one of those, you open it. There is no warning, no indication of where the link might be taking you. It opens any link in IE10.
Sure, you clicked on a link, so you want it to open. You’re a techie. What’s the number one way our users get pwned? They click on links without checking them! And there is no way in this client to check on those links. You either click, or you ignore. To which one of these will your users default?
Until better/safer/more locked down options exist for Mail, I won’t be recommending that you use it, advocate it, or even grudgingly acknowledge that it is something your users can configure. I’ll be actively advising my users not to use it, and to stick with webmail access to any of their email accounts (or installing something more robust) until Mail catches up with the rest of the Internet. Here’s hoping Microsoft drops a patch quickly.