Outlook’s Simple Missing InfoSec Feature

Outlook’s Simple Missing InfoSec Feature

As we all know, one of the biggest threats/risks to an organisations security are its users – every presentation you see has the ‘surprising’ statistic of just how many breaches start with – or are entirely caused by – actions by a user.

Building on this, one of the most common causes of an ‘accidental exfiltration’ of data (still a breach in the eyes of governing bodies such as the ICO) is sending to the wrong recipient, referred to as a misdirected email.  According to Cisco Magazine, around 3.4 emails get sent to the wrong recipient every day.

What’s the Outlook Feature?

As we all know, Outlook has a feature that remembers previously sent email addresses and stores them for ‘autocomplete’ when we next send a message – great in theory but from what I’ve seen, this is the route cause of most misdirected emails.

The problem with this feature is that there are no controls over it apart from a complete purge or manual removal of addresses:

If Microsoft could add a simple feature where we can set an expiry for cached email address in autocomplete, it would have a massive impact.  Personally, I would set mine to 7 days so anyone I hadn’t emailed in 7 days would be excluded from autocomplete.

Other obvious additional features would be the ability to ‘pin’ some recipients to exclude them from the feature and also exclude entire domains.

I’m sure some users would take a less drastic approach and maybe have the autocomplete cache purge unused addresses after a couple of months but even that is a huge improvement on the years of data I currently see coming up.


So in summary, just three simple options could make a drastic reduction in the number of misdirected emails:

  • Allow an automated purge of autocomplete addresses older than x days
  • Allow exclusions to this based on domain
  • Allow exclusions via a direct ‘pinning’ of the email address (obviously contacts should be excluded anyway).
Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.