• Microsoft and Email Security Scanners: Microsoft and other email security scanners visit links in emails and run JavaScript including POSTs. This used to be unacceptable as POSTs have side effects. It breaks single-use sign-on/email confirmation messages.
• HTTP and Norms: HTTP GET requests should be idempotent and "safe", while POST requests are used to change states. Miscreants can spread malware by scanning email attachments and links. Single-use sign-on links got "consumed" when Microsoft automatically ate them. Now, Microsoft's security scanning visits links, runs JavaScript, and sends POSTs.
• What to Do: If sending sign-on or email confirmation links, assume security scanners will execute them. Software can no longer have one-time working links. Sites must deal with users finishing sign-ups or confirmations multiple times. Some tried using captchas but it annoys users and gets on Microsoft's naughty list.
• Final Thoughts: Big dominant operators like Microsoft should be more transparent about norms they break. The EU Digital Markets Act recognizes some as "designated gatekeepers" and they should be more accountable. We don't know what they might break next without giving us time to prepare.