Skip to main content
Uncategorized

debunking the misinformation: a response to tuta’s blog on outlook business security issues

tuta recently published an article claiming that outlook is plagued with critical security risks for business users. unfortunately, their piece is full of misleading claims, outdated references, and a fundamental misunderstanding of enterprise it. let’s set the record straight, starting with the critical information they chose to withhold.

misleading claim #1: microsoft forces users to switch & stores all emails in its cloud

the tuta article falsely claims that microsoft is “forcing” users to switch to the new outlook and route all emails through microsoft’s cloud servers, even for non-microsoft accounts. this claim is misleading on multiple levels:

transparency and user consent

microsoft is upfront about this change. when setting up a non-microsoft account in the new outlook, users are clearly informed:

“for a better experience, your emails, calendar events, and contacts will be synced to the microsoft cloud when you sign in and accept all permissions.”

microsoft even provides a “learn more” link, offering additional details about the change, why it was made, and the benefits it brings, such as enhanced synchronization features and improved cross-platform access. this is not hidden, nor is it forced. users are given the choice to proceed or not.

to give tuta credit, they take a different approach by avoiding third-party cloud hosting altogether. this means they don’t have to sync data between external servers like microsoft does. however, this also limits integration with external services—a tradeoff that comes with both benefits and drawbacks.

phased rollout and continued support for classic outlook

the new outlook is being rolled out in a multi-year, three-phase process. currently, users can opt in to try the new outlook. the classic outlook app will continue to be supported until at least 2029, giving users ample time to transition—or not.

no one is being forced. you can continue using the classic outlook for many years. this phased approach allows users and businesses to adapt at their own pace.

security of passwords and access data

tuta’s claims imply that microsoft has full access to users’ passwords. this is blatantly false. for imap providers using basicauth, microsoft stores access data as an encrypted user token in the user’s mailbox. for providers like gmail and yahoo that use oauth, microsoft never accesses plain-text passwords and only uses oauth tokens for authentication.

these measures ensure user credentials are handled securely and never exposed to microsoft.

while tuta avoids this entirely by not supporting imap/pop3, this also limits users’ ability to use third-party email clients, which is a notable tradeoff.

misleading claim #2: outlook lacks end-to-end encryption

tuta is correct that end-to-end encryption (e2ee) is the strongest way to secure email, and they offer e2ee when both the sender and recipient use tuta. however, their criticism of outlook ignores that businesses rely on layered security approaches, not just e2ee. microsoft offers s/mime, office 365 message encryption, and data loss prevention (dlp) to protect business communications in ways that tuta does not.

tuta asserts that outlook is insecure because it does not enforce end-to-end encryption (e2ee) by default. this oversimplifies enterprise email security:

  • businesses rely on tools like microsoft purview message encryption, s/mime, and office 365 message encryption to protect emails at rest and in transit. these tools allow businesses to implement robust security measures tailored to their needs.
  • not all emails require e2ee. layered security approaches, including tls encryption and data loss prevention (dlp), are sufficient for many scenarios.

to tuta’s credit, their email system enforces e2ee by default when communicating between tuta users, something that mainstream providers do not offer. however, their criticism of microsoft ignores that businesses operate in environments where multiple security layers—not just e2ee—are necessary for compliance and operational needs.

misleading claim #3: microsoft can access all emails

tuta does a better job than gmail or outlook in ensuring emails aren’t mined for advertising, which is a legitimate privacy advantage. however, their claim that outlook allows full microsoft access is misleading. businesses using microsoft 365 retain full ownership of their data, and emails are encrypted in transit and at rest with strict access controls like customer lockbox.

misleading claim #4: outlook is uniquely vulnerable

no software is free from vulnerabilities, but implying that outlook is uniquely insecure is misleading. microsoft’s security infrastructure includes:

  • aggressive patch cycles to address vulnerabilities promptly.
  • advanced threat protection (atp) with anti-phishing and malware scanning to protect users from emerging threats.
  • ai-driven analytics to detect and mitigate security threats in real time.

these measures are among the most advanced in the industry, surpassing what smaller providers like tuta can offer.

tuta avoids some traditional attack vectors by keeping a smaller, closed ecosystem, but their lack of third-party security integrations limits the flexibility and control businesses have.

misleading claim #5: forced migration to the new outlook

tuta claims that microsoft 365 business users are being “forced” to switch to the new outlook, implying that this introduces new security risks. this is fundamentally incorrect.

  • if you are a microsoft 365 business user, your email is already hosted and stored by microsoft using exchange online. this is true whether you use classic outlook, new outlook, or outlook web access.
  • switching to the new outlook does not change how or where your emails are stored—it only changes how you access them.
  • this claim demonstrates a lack of understanding of how microsoft 365 business operates and is misleading to those unfamiliar with exchange online.

the real problem: misleading narratives

tuta’s article is a prime example of exaggerated security concerns designed to position their product as the “secure alternative.” here’s the reality:

  • claiming microsoft is “forcing” users without mentioning the transparency during setup, the phased rollout, or the fact that most businesses already use microsoft servers is misleading.
  • citing reddit as evidence? seriously? anonymous internet gripes are not credible proof. referencing issues from 2022 when the app was still in development ignores the advancements made since then. it’s 2025—let’s stick to current facts.

conclusion

tuta’s article presents misleading narratives rather than a balanced discussion on security. instead of providing a well-rounded analysis, they emphasize exaggerated risks to steer users toward their product.

if tuta mail truly offered a better service, they wouldn’t need to rely on misleading claims to sell it.

facts over fear, always.

tech should work for you, not against you. let’s get started—book your free consultation today and begin building a stronger, smarter IT strategy that supports your business goals.

contact info: hugo@hugoconnect.com | 312-796-9007

get in touch

161 North Clark St
Suite 1600
Chicago, IL 60601
*by appointment only

success@hugoconnect.com

office
(312) 796-9007

mobile
‪(312) 620-7911‬

muscle & megabytes IT insider

subscribe

© 2025 HUGO CONNECT LLC. privacy policy. terms & conditions