Outlook will rewrite email links to direct them towards https://*.safelinks.protection.outlook.com/ with the original url encoded as a query parameter, when a feature named “safe links” is enabled. In our testing, this appears to break magic links.
Steps to reproduce
Steps to reproduce the behavior:
- Create an email account on outlook.com
- Register a user with the @outlook.com (or @hotmail.com) email address
- Ask for a magic link to be delivered to the outlook email address
- Click the link
The “safe-links” feature can be turned off (see the last screenshot). If we do, then the magic links work as expected.
We have two hypothesis as to what might be causing this:
a) The passwordless code is somehow distorted as it is URL path encoded and decoded by the safe-links mechanism.
b) The safe-links mechanism makes a GET request to the magic link, thus using the code and making it invalid for future requests.