Exchange Online show foreign address lists (GAL) – a GDPR violation

[German]A reader pointed out to me a strange and dubious behavior of Exchange Online. It has been observed that users are offered global address lists (GAL) from other tenants as soon as people try to fill out the To field in an email or appointment. In any case, it is problematic under the European GDPR (General Data Protection Regulation).


Advertising

Exchange Online shows foreign address lists

Christopher, a German administrator, contacted me yesterday (October 24, 2023) to let me know about a very strange effect in Exchange Online that he observed in his corporate environment. This issue can be described like this.

  • The user tries to create a new e-mail or appointment.
  • As soon as he selects the To field with the recipients, suggestions are presented.
  • That's a normal behavior, but some users are found address lists of other (foreign) tenants, they have never heared about.
  • If the address selection window is closed and opened again, the correct, company-internal address list is displayed.

The reader asked whether I had already encountered something in this regard, which I had to deny. Attached is a screenshot with blackened data of an address book for room occupancy – where foreign company data appears.

Global Address List (GAL) of a foreign tenant

Sporadic occurrence at the reader

The reader states that the effect only occurred with various users in his company environment. He himself was able to observe these incidents on yesterday, October 24, 2023, between about 11-16 o'clock. The mail reached me on Oct. 24, 2023, at 5:29 am (CET) and Christopher writes that it hasn't occurred since an hour ago.

An entry on reddit.com

The user then pointed me to the reddit.com thread [Exchange Online] Users are getting Global Address Lists from other Tenants, where the same effect has been described. The poster also seems to be from Germany and writes.


Advertising

If I hadn't seen it myself I would have archived the ticket under the Tag "User Hallucinating".

Thing is, User opens his Outlook GAL, we're getting A LOT of Deutsche Telekom Addresses, everything looking legit. Just..it's not ours.

So we just go full emergency, assume the Global Admin has been hacked, check all logs.. Not a single sign of a breach. No apps, no logins, no change in our GAL policies.

Close the Addressbook (not even Outlook) reopen it.. it's back to normal.

Had I not made a screenshot I would have questioned my own sanity.

Anything similar happened to any of you?

On reddit.com other users has confirmed this observation. After I've published the German edition of this blog post, I got more confirmations.

Microsoft has not yet published anything about this. I classify this as a GDPR-relevant incident that actually has to be reported to the data protection supervisory authority.

I came across the article Microsoft 365 inter-tenant collaboration dated October 21, 2023. Is only a vague suspicion – but the time window fits, possibly a bug in the introduction of the feature.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Cloud, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *