3
Outlook 2024 bug keeps triggering IDS blocks
Problem reported by Marco DB - 7/9/2025 at 5:44 AM
Known
Hi,

after much debugging i finally came to the conclusion that there is a bug in the Office 2024 outlook (possibly 365 too) that makes it constantly try to login with the local account name as username, triggering IDS continuously and consequently making the users unable to use the mail.

Example setup:

mailbox: user@example.com
windows local account name: mike

while outlook appears to be working for the mailbox user@example.com , in reality it is constantly and silently trying to access the mailbox mike@example.com which does not exist. So, in the smartermail logs, a plethora of these pop up:

01:49:47.421 [79.52.9.xx] MAPIEWS NTLM; AuthenticateMessage; User not found [mike@example.com] [*censored*]
01:49:47.421 [79.52.9.xx] MAPIEWS NtlmAuthenticate Login failed: NTLM; AuthenticateMessage; User not found [mike@example.com].
    Brute force attempts increased to 77 of 350 in 1440 minutes; 3 of 60 in 10 minutes.
    Next clean available at 09/07/2025 01:50:31

do any of you know how to stop outlook from doing that? 
2
Derek Curtis Replied
Employee Post
We have a ticket on this but we haven't been able to find a way to stop Outlook from the local user authentication attempt. One potential workaround that may help is to whitelist the IP to prevent the IDS blocks, though only if the IP is static. Other than that, nothing else seems to work.

We're waiting to hear back on whether disabling NTLM using GPO works or not. 
Derek Curtis COO SmarterTools Inc. www.smartertools.com
0
Brian Bjerring-Jensen Replied
Try to disable telemetry in windows....
1
Matthew Titley Replied
I can confirm that we are experiencing this same issue and are attempting to circumvent the issue with a combination of whitelisting IP addresses and tinkering with IDS settings. Nevertheless, it's a problem for sure.
0
Marco DB Replied
i see, so it's a known issue

i believe microsoft is doing that intentionally to disrupt 3rd party services/apps

i think for smartermail the best way to handle this would be to have the ability to ignore IDS counter for non-existant usernames
right now it doesn't discriminate whether the login is for an existing user or not, and that's part of the problem
4
Brian Bjerring-Jensen Replied
Isnt that compromising what IDS stands for? One is the mailboxes but its still an attempt to get in and you dont know what they are lkooking at unless you monitor it...
0
Douglas Foster Replied
I wonder if you can affect the problem by tuning your auto discover registry keys
0
Marco DB Replied
nope, tried that but doesn't help. 
0
Douglas Foster Replied
For clarification, is Outlook 2024 an implementation of "New Outlook", which forces  your traffic through a Microsoft server?
2
Douglas Foster Replied
The choice is pretty clear:   Client wants to use software that attempts unauthorized logins.  That misbehavior causes IDS responses that affect more than just the one user of that product.  The appropriate solution is for the user to use a different product which does not have this misbehavior (Outlook 2021, EM Client, or Webmail).   

The inappropriate solution is to weaken your security to accommodate a buggy piece of software, but maybe this client is so powerful that you have to do that.  It is definitely something that the community wants SmarterMail to implement.

If it comes down to a confrontation, I can see two ways to defend against users who insist on using a dangerous product:   (a) implement a web proxy rule that blocks traffic based on the Outlook2024 user agent, or (b) remove permissions to use client protocols from offending user accounts.   

I'm not sure that I know how to implement a user agent filtering rule, and SmarterMail is only now obtaining formal support for use of web proxies.   A web proxy rule will work for web-based protocols (MAPI, EWS, ActiveSync), but not for IMAP+SMTP or POP+SMTP.   Consequently, the usefulness of a user-agent filter depends on the extent of the Outlook bug..
0
Marco DB Replied
For clarification, is Outlook 2024 an implementation of "New Outlook", which forces  your traffic through a Microsoft server?
not at all, it's the classic outlook, just the one included in Office 2024
0
Brian Bjerring-Jensen Replied
Is it all versions? Also LTSC affected?
0
Frans Rampen Replied
Yes it also affects 2024 LTSC version, currently running on MacOS. I'm unable to add the account due to this error..
5
John Quest Replied
i think for smartermail the best way to handle this would be to have the ability to ignore IDS counter for non-existant usernames
right now it doesn't discriminate whether the login is for an existing user or not, and that's part of the problem
Absolutely NO! Like Douglas has said, this is a Microsoft problem. NEVER decrease security on one product due to the bugs of another product. 
1
Kyle Kerst Replied
Employee Post
Excluding non-existent usernames from IDS tracking would mean that most password probing attempts would be missed by the IDS until they started hitting real accounts as well. We frequently see hackers/scripts attempting to guess passwords and they typically start with a list of non-existent usernames meaning we have them IDS blocked before they get to valid accounts. 
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
0
Marco DB Replied
Absolutely NO! Like Douglas has said, this is a Microsoft problem. NEVER decrease security on one product due to the bugs of another product.
right, so you have to greatly relax IDS rules or your legitimate users will be permanently blocked... which is even worse.

Excluding non-existent usernames from IDS tracking would mean that most password probing attempts would be missed by the IDS until they started hitting real accounts as well. We frequently see hackers/scripts attempting to guess passwords and they typically start with a list of non-existent usernames meaning we have them IDS blocked before they get to valid accounts.
im not sure you understand the problem. When most of your users have this issue you HAVE to greatly increase the IDS limits, thus making it way less effective, or the legit users won't be able to work.

Also this is a moot point, because it would be just an option, like you can entrirely disable IDS if you want right now. I'd rather ignore login failures for non-existant accounts (or set it to a much higher threshold), and block attempts to force existing account after the 3rd time in a few minutes than having no control whatsoever and have to put a stupidly high limit for every kind of attempt for the users to be able to use outlook.

IDS rules are far too coarse, and while the bug is microsoft's fault, the countermeasures you can take are extremely limited and that's smartermail's issue

1
John Quest Replied
IDS rules are far too coarse, and while the bug is microsoft's fault, the countermeasures you can take are extremely limited and that's smartermail's issue
I do not think you understand the reason and need for IDS rules. 

Like others have pointed out, in my 25 years of experience as a email administrator, the amount of malicious attempts to NON-EXISTANT/NON-VALID user/email address far outnumbers the malicious attempts as valid user/email address.

Bottom line, this is a a Microsoft problem. Focus your efforts there.
0
Douglas Foster Replied
I don't object to an option given the situation.   SmarterMail has previously given us a workaround to Outlook.com disconnecting without waiting for an SMTP response, and failing to reattempt delivery.

I fantasize that Microsoft would have acknowledged this as a major bug, and the fix would have been made available in Windows Update in less time than it has taken to discuss this topic.   Dream on.

Reply to Thread

Enter the verification text