Full Report
Microsoft is investigating several issues causing email synchronization and connection problems when using the classic Outlook desktop client. [...]
Analysis Summary
# Vulnerability: Classic Outlook Connectivity and Synchronization Failures
## CVE Details
- **CVE ID**: N/A (Currently identified as Functional/Stability Bugs)
- **CVSS Score**: N/A
- **CWE**: N/A
## Affected Systems
- **Products**: Microsoft Outlook (Classic), OneNote, and other Microsoft 365 apps.
- **Versions**: Microsoft Office 16.0 (Microsoft 365 versions).
- **Configurations**:
- Presence of Exchange Web Services (EWS).
- Syncing third-party IMAP accounts (Gmail/Yahoo) after password changes.
- Deployment of December 2025 updates (for encrypted email issues).
## Vulnerability Description
Microsoft is investigating three distinct functional flaws in the classic Outlook client:
1. **Group Creation Failure**: An internal server error occurs because the AD Graph call for `ValidateUnifiedGroupProperties` fails. The API is unable to initialize AAD or MSGraph clients, or AAD Graph is disabled for the API.
2. **Synchronization Errors (0x800CCC0F / 0x80070057)**: A failure in the authentication prompt logic specifically affecting Gmail and Yahoo accounts. After a password change, the client fails to trigger the sign-in prompt, leading to permanent sync failure.
3. **UI/Input Regression**: A bug causing the mouse pointer to disappear within Outlook, OneNote, and other M365 apps, likely due to a focus-handling error in the application's graphical overlay.
## Exploitation
- **Status**: Not exploited (Functional bugs/availability issues).
- **Complexity**: N/A
- **Attack Vector**: N/A
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: High (Prevents email synchronization, group management, and software usability).
## Remediation
### Patches
- **In Progress**: Microsoft is developing updated group functionality using REST APIs to replace the failing AD Graph calls.
- **Resolved**: The issue regarding encrypted emails was resolved in early January 2026.
### Workarounds
- **For Group Creation**: Use the **New Outlook** desktop client or **Outlook Web Access (OWA)** to create or edit groups.
- **For Gmail/Yahoo Sync Errors**: Delete the registry entries associated with the affected email address:
- Path: `HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities`
- **For Disappearing Mouse Pointer**:
- Click any email in the message list to force a focus change.
- Switch to PowerPoint, click an editable area, then switch back to Outlook.
- Perform a system restart.
## Detection
- **Indicators of Compromise**: N/A
- **Detection Methods**:
- Monitoring for error code `0x800CCC0F` or `0x80070057` in Outlook sync logs.
- Identifying the error message: "Both AAD and MSGraph clients are null or AAD Graph is disabled for this API."
## References
- **Vendor Advisory 1**: hxxps[://]support[.]microsoft[.]com/en-us/office/users-may-get-the-error-can-t-connect-to-the-server-when-creating-groups-in-classic-outlook-6b05769b-b2cb-4abc-9edf-51c391612b85
- **Vendor Advisory 2**: hxxps[://]support[.]microsoft[.]com/en-us/office/users-get-errors-0x800ccc0e-0x800ccc0f-synchronizing-gmail-and-yahoo-accounts-in-classic-outlook-e5a7b684-7c5c-4848-ab2d-d48291451f67
- **BleepingComputer Report**: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-investigates-classic-outlook-sync-and-connection-issues/