Legacy TLS tour continues with Exchange Online blocking old versions from July 2026
Microsoft readies the axe once again for yesterday's security
Office 365 is Microsoft's cloud productivity suite, whose identity, email, and data controls make its vulnerabilities and security advisories consequential.
Search across headline titles and summaries.
Background for this topic.
Office 365 is Microsoft’s cloud-hosted productivity and collaboration service, encompassing Exchange Online email, SharePoint, OneDrive, Teams, and web and desktop Office applications. Because these services store communications and business documents in a shared cloud environment, the tag includes both attacks against the platform and security issues arising from tenant configuration, identity, and connected applications.
Material risks include phishing or stolen credentials leading to account takeover, malicious OAuth applications gaining delegated access, mailbox forwarding rules, and excessive external sharing of files. Effective defenses include phishing-resistant multifactor authentication, conditional-access policies, least-privilege administration, controlled app consent, data-loss prevention, and review of audit and sign-in logs. Security teams must also track Microsoft advisories and client vulnerabilities, preserve cloud evidence for investigations, and apply retention, privacy, and compliance controls appropriate to the data stored in the tenant.
Weekly headline count for the current query.
Microsoft readies the axe once again for yesterday's security
Microsoft readies the axe once again for yesterday's security Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online.…
Negative feedback sinks Redmond's plan to cap outbound email recipients Microsoft has backed away from planned changes to Exchange Online after customers objected to limits designed to curb outbound email abuse.…
'It's not our job to find the culprits – That's what we're paying you for' lawmaker scolds Brad Smith Lawmakers on Thursday grilled Microsoft president Brad Smith about the Windows giant's businesses dealing in China — and the super-corp's repeated security failings — at a time when Beijing-backed spies are accused of breaking into Microsoft-hosted email accounts of American government officials.…
CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – which saw accounts used by senior US officials compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable save for Microsoft's lax infosec culture and sub-par cloud security precautions.…
CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – which saw accounts used by senior US officials compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable save for Microsoft's lax infosec culture and sub-par cloud security precautions.…
Pen-tester accessed more than 650,000 sensitive messages, and still can, at Indian outfit using Toyota SaaS Toyota Tsusho Insurance Broker India (TTIBI), an Indo-Japanese joint insurance venture, operated a misconfigured server that exposed more than 650,000 Microsoft-hosted email messages to customers, a security researcher has found.…
No classified systems involved apparently, so there's that Chinese snoops stole about 60,000 State Department emails when they broke into Microsoft-hosted Outlook and Exchange Online accounts belonging to US government officials over the summer.…
PLUS: Phishing campaign targets the C-suite; Cybercrime arrests in EU and Africa; and more Infosec in brief The July breach of Microsoft Exchange Online by suspected Chinese hackers is the next topic up for review by the Department of Homeland Security's Cyber Safety Review Board (CSRB). …
ALSO: China says US hacked it right back, BreachForums users have been pwned, and this week's critical vulns Infosec in brief US senator Ron Wyden (D-OR) thinks it's Microsoft's fault that Chinese hackers broke into Exchange Online, and he wants three separate government agencies to launch investigations and "hold Microsoft responsible for its negligent cyber security practices." …
How does the Azure giant come back from this? A stolen Microsoft security key may have allowed Beijing-backed spies to break into a lot more than just Outlook and Exchange Online email accounts.…
Storm-0558 had access to accounts and mail – maybe even for senior US officials US commerce secretary Gina Raimondo and other State and Commerce Department officials were reportedly among the victims of a China-based group's attack on Microsoft's hosted email services.…
Malicious toolkit targets misconfigured hosts in AWS and Office 365 A fast-evolving toolkit that can be used to compromise email and web hosting services represents a disturbing evolution of attacks in the cloud, which for the most part have previously been confined to mining cryptocurrencies.…
If you need extra time to dump RPS, OK, but email from unsupported Exchange servers is blocked till they’re up to date Some Exchange Online users who have the RPS feature turned off by Microsoft can now have it re-enabled – at least until September when the tool is retired.…
AWS, Google and Oracle may benefit as Microsoft blames the Pentagon and the Pentagon blames Microsoft A hole in a Department of Defense email server operated by Microsoft left more than a terabyte of sensitive data exposed less than a month after Office 365 was awarded a higher level of US government security accreditation.…
Redmond says OME is really for content misuse rather than security Microsoft Office 365 Message Encryption claims to offer a way "to send and receive encrypted email messages between people inside and outside your organization."…
Exchange Online users should have authentication policies in place Microsoft is warning Exchange Online users about a rise in password spray attacks, urging those that have yet to disable Basic Authentication to at least set up authentication policies to protect their users and data.…
Awoooogah – this is your one-year warning to switch over, enterprises Microsoft next month will start phasing out Client Access Rules (CARs) in Exchange Online – and will do away with this means for controlling access altogether within a year.…
The 'widespread' campaign hunts for multimillion-dollar transactions A business email compromise scheme targeting CEOs and CFOs using Microsoft Office 365 combines phishing with a man-in-the-middle attack to bypass multi-factor authentication.…
Before Microsoft shutters basic logins in a few months The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.…