Shifting Cyber Norms: Microsoft security POST-ing to you

Microsoft Alters Cyber Norms with Email Security Practices

In a significant shift in cyber norms, Microsoft and other email security scanners are now visiting links in emails and executing JavaScript, including operations that result in POST requests. Traditionally, POSTs were avoided due to their potential side effects. This change is causing disruptions, particularly with single-use sign-on or email confirmation messages.

Unexpected Challenges with Email Security Scanning

An unexpected incident highlighted this issue when a user was unable to perform a password-less sign-on, receiving an error that the link had already been used. This was a result of Microsoft’s email security scanning practices that inadvertently “consume” such links before users can use them.

Evolution of Cyber Norms

The landscape of internet security has always been fluid. Historically, there were stringent norms and ethics regarding actions such as email blocking and software “phoning home.” Over time, these norms evolved to balance security needs with user privacy.

The current challenge arises as Microsoft’s security scanners take actions traditionally reserved for user consent, such as executing JavaScript and making POST requests from links in emails.

Implications and the New Norm

This practice disrupts well-established norms, which dictated that POST requests, due to their potential to alter states, should not be performed automatically. Yet, Microsoft now executes JavaScript on pages linked in emails, potentially causing unintended POSTs.

Recommendations for Service Operators

Service operators are urged to adapt by designing systems that can handle multiple sign-on attempts triggered by security scanners. Single-use links need to be re-evaluated, as they no longer guarantee a one-time access process.

Attempts to circumvent these scans with measures like captchas may lead to user frustration and backlash from Microsoft, potentially landing operators on a “naughty list.”

Calls for Transparency

The industry’s major players, recognized as “designated gatekeepers” under regulations like the EU Digital Markets Act, should be more transparent about their practices. While security measures must remain confidential to an extent, breaking existing systems without warning is counterproductive.

The call is for accountability and advance notice from these corporations to prevent unforeseen disruptions in service operations and to maintain trust in digital security practices.