Why shared Microsoft Outlook mailboxes cause cyber-security issues for businesses

  • Articles
  • Why shared Microsoft Outlook mailboxes cause ...

Table of Contents

Many businesses use generic user mailboxes in their Microsoft Outlook email system that can be logged onto or shared by multiple users. Shared mailboxes are useful for multiple employees at the company who need access to the same mailbox for a functional purpose. For example, a support@examplecorp.com email address might be shared by multiple people. Everyone uses a single logon for the shared mailbox to keep things simple and easy.

It’s a common practice for small but growing businesses to give multiple employees a shared login to a single, shared mailbox in Outlook. That’s because users of a shared mailbox can send as (or send on behalf of) that single email address.

But there is a downside to a shared user mailbox: It is a cyber-security nightmare and a real risk for your business.

Three reasons to avoid shared user mailboxes

Amaxra recommends against our clients using shared user mailboxes because they lack security including these two top reasons:

  • No options for multi-factor authentication (MFA) – A shared user mailbox is not intended for direct sign-in by its associated user account. In the example of the support@examplecorp.com address, let’s say you want to give Susan, Rob, and Bob the single shared logon info to that shared mailbox. If you’ve read the previous Amaxra blog post on how enabling multi-factor authentication for employees is the best thing you can do to protect your company online, then you know Susan, Rob, and Bob cannot “share” an MFA challenge/response safely. The reason why MFA is so effective is that each security challenge requires a security response tied to an individual. That breaks down when you have a single mailbox account which is shared by three separate people.
  • No email encryption – One of the most powerful features of Microsoft Outlook email for Office 365 business users is encryption. However, you can’t encrypt email sent from a shared mailbox. This is related to the previous reason Amaxra considers shared user mailboxes a security nightmare: Shared user mailboxes don’t have options for a direct username/password “security context.” Without that security context, the shared mailbox cannot be assigned an encryption key from Microsoft. So, if Susan, Rob, and Bob are all members of the shared mailbox, and Bob sends email encrypted with his own key, then Susan may be able to read the email, but Rob might not. It depends which public key the email was encrypted with and it’s a mess.

The simple solution to shared user mailboxes

Amaxra recommends our clients with Office 365 or Microsoft 365 use Office 365 Groups if they need shared mailboxes and calendars for specific functions (such as “accounts”, “support”, “sales”, etc). An Office 365 Group is a group collaboration service built into Office 365 that connects a list of your authorized employees to messages and documents using Outlook mailbox resources with a powerful and secure Microsoft Cloud-based back end. With each Office 365 group, members get a group email and shared workspace for conversations, files, and calendar events—all of which are available in not only your Outlook email but also in Microsoft Teams, SharePoint, and other collaboration apps. Note: the Group Email is called a Shared Mailbox – this is a group email and not an email that can be directly accessed via a logon like a user email; it’s important to understand this distinction which can be a bit confusing. They are very separate within the Office 365 Admin area. 


An Office 365 Group enables Susan, Bob, and Rob to all have access to a shared mailbox for which they each user their OWN user logon (a must-have for keeping employees safe via multi-factor authentication) and access. The advantage is if Susan’s role changes and she no longer needs access, then her access is simply removed from the Office 365 Group mailbox without any change from her side or her logon credentials. She will just no longer see to the shared environment because her access has been removed but there is no need to change her credentials or those of the shared environment as there would be if a “user” mailbox was shared. There is also better protection for the overall environment since a hacker cannot directly log onto the Shared Mailbox

The final benefit of Office 365 Groups is no license is required. If you have a user mailbox set up as a shared accounts mailbox you will still require the appropriate license but an Office 365 Group does not require a license so will save your organization licensing costs also. In summary, easier to manage, more secure and also saving you money.

Subscribe To Our Blog