Back to Community Threads
Outlook 2024 bug keeps triggering IDS blocks
Problem reported by Marco DB - 7/9/2025 at 5:44 AM
Known
Hi,

after much debugging i finally came to the conclusion that there is a bug in the Office 2024 outlook (possibly 365 too) that makes it constantly try to login with the local account name as username, triggering IDS continuously and consequently making the users unable to use the mail.

Example setup:

mailbox: user@example.com
windows local account name: mike

while outlook appears to be working for the mailbox user@example.com , in reality it is constantly and silently trying to access the mailbox mike@example.com which does not exist. So, in the smartermail logs, a plethora of these pop up:

01:49:47.421 [79.52.9.xx] MAPIEWS NTLM; AuthenticateMessage; User not found [mike@example.com] [*censored*]
01:49:47.421 [79.52.9.xx] MAPIEWS NtlmAuthenticate Login failed: NTLM; AuthenticateMessage; User not found [mike@example.com].
    Brute force attempts increased to 77 of 350 in 1440 minutes; 3 of 60 in 10 minutes.
    Next clean available at 09/07/2025 01:50:31

do any of you know how to stop outlook from doing that? 
Derek Curtis Replied
7/9/2025 at 2:25 PM
Employee Post
We have a ticket on this but we haven't been able to find a way to stop Outlook from the local user authentication attempt. One potential workaround that may help is to whitelist the IP to prevent the IDS blocks, though only if the IP is static. Other than that, nothing else seems to work.

We're waiting to hear back on whether disabling NTLM using GPO works or not. 
Derek Curtis COO SmarterTools Inc. www.smartertools.com
Brian Bjerring-Jensen Replied
7/9/2025 at 2:30 PM
Try to disable telemetry in windows....
Matthew Titley Replied
7/9/2025 at 8:10 PM
I can confirm that we are experiencing this same issue and are attempting to circumvent the issue with a combination of whitelisting IP addresses and tinkering with IDS settings. Nevertheless, it's a problem for sure.
Marco DB Replied
7/9/2025 at 11:22 PM
i see, so it's a known issue

i believe microsoft is doing that intentionally to disrupt 3rd party services/apps

i think for smartermail the best way to handle this would be to have the ability to ignore IDS counter for non-existant usernames
right now it doesn't discriminate whether the login is for an existing user or not, and that's part of the problem
Brian Bjerring-Jensen Replied
7/10/2025 at 12:52 AM
Isnt that compromising what IDS stands for? One is the mailboxes but its still an attempt to get in and you dont know what they are lkooking at unless you monitor it...
Douglas Foster Replied
7/10/2025 at 10:26 AM
I wonder if you can affect the problem by tuning your auto discover registry keys
Marco DB Replied
7/10/2025 at 11:39 PM
nope, tried that but doesn't help. 
Douglas Foster Replied
7/11/2025 at 3:44 AM
For clarification, is Outlook 2024 an implementation of "New Outlook", which forces  your traffic through a Microsoft server?
Douglas Foster Replied
7/11/2025 at 4:14 AM
The choice is pretty clear:   Client wants to use software that attempts unauthorized logins.  That misbehavior causes IDS responses that affect more than just the one user of that product.  The appropriate solution is for the user to use a different product which does not have this misbehavior (Outlook 2021, EM Client, or Webmail).   

The inappropriate solution is to weaken your security to accommodate a buggy piece of software, but maybe this client is so powerful that you have to do that.  It is definitely something that the community wants SmarterMail to implement.

If it comes down to a confrontation, I can see two ways to defend against users who insist on using a dangerous product:   (a) implement a web proxy rule that blocks traffic based on the Outlook2024 user agent, or (b) remove permissions to use client protocols from offending user accounts.   

I'm not sure that I know how to implement a user agent filtering rule, and SmarterMail is only now obtaining formal support for use of web proxies.   A web proxy rule will work for web-based protocols (MAPI, EWS, ActiveSync), but not for IMAP+SMTP or POP+SMTP.   Consequently, the usefulness of a user-agent filter depends on the extent of the Outlook bug..
Marco DB Replied
7/11/2025 at 7:01 AM
For clarification, is Outlook 2024 an implementation of "New Outlook", which forces  your traffic through a Microsoft server?
not at all, it's the classic outlook, just the one included in Office 2024
Brian Bjerring-Jensen Replied
7/11/2025 at 8:00 AM
Is it all versions? Also LTSC affected?
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Add to Outlook LimitationsSmarterMail > Desktop and Mobile Synchronization
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Understanding SNI in SmarterMailSmarterMail > Server Configuration and Management
New SmarterMail and WHMCS IntegrationUtilities and Conversion Tools
Microsoft Outlook PST vs OST vs OLM -- What's the Difference?SmarterMail > Desktop and Mobile Synchronization