CybersecurityVulnerability Management

Microsoft to Discontinue Legacy TLS Versions in Exchange Online by July 2026

Analyst 207||Source: TheRegister
Secure server room with rows of computer servers and networking equipment.

"We will start to block legacy version connections starting in July 2026," Microsoft warned, drawing a line under years of gradual deprecation.

Microsoft's July 2026 cutoff for Exchange Online POP3 and IMAP4

Microsoft has announced it will begin blocking Transport Layer Security (TLS) 1.0 and 1.1 connections for POP3 and IMAP4 access to Exchange Online in July 2026. The company says the move affects clients that continue to use those legacy protocol versions and that the change follows prior deprecation work and an interim opt-in endpoint provided to accommodate older clients.

Timeline and technical context: TLS 1.0, 1.1 and Exchange Online

TLS 1.0 was published in 1999 and TLS 1.1 in 2006; both versions were formally deprecated in 2021, and Microsoft stated they "are no longer considered secure." Support for TLS 1.0 and 1.1 in Exchange Online officially ended in 2020. In 2023 Microsoft announced plans to disable the older TLS versions for POP3 and IMAP4 clients but, acknowledging that a "significant" number of clients did not support TLS 1.2 or later, created an opt-in endpoint to keep those legacy connections alive temporarily.

Microsoft's expectations and the risk of disruption

Microsoft expects "minimal impact from the change," saying that "Modern email clients and libraries already support TLS 1.2 or higher," and that "the vast majority of POP and IMAP traffic to Exchange Online today uses these newer protocols." Nonetheless, the company warns that legacy devices or software "might stop working as connections fail." Microsoft stressed that "Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation."

How Google Workspace and browsers compare

By contrast, Google Workspace still supports TLS 1.0 and 1.1 according to its documentation, though the Register article notes it would be prudent for users to select a more recent protocol if their client supports it. Web browsers such as Chrome, Firefox and Edge had already signaled that the legacy protocols were on their way out back in 2018, the reporting said.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Verify how POP3 and IMAP4 clients authenticate and which TLS versions they negotiate; plan to migrate clients to TLS 1.2+ where necessary, because Microsoft will block legacy connections starting in July 2026.
  • Affected enterprises and procurement leaders: Identify any systems or vendors that explicitly opted into the legacy endpoints and prioritize remediation or vendor updates to avoid service disruptions when the opt-in ends.
  • End users and help desks: Expect potential summer support calls if mail clients or legacy devices suddenly fail to connect; users who previously relied on the opt-in endpoint should "check how their email clients are connecting, or risk summer support calls" after the cutoff.

Microsoft’s move closes a long-standing accommodation. The company—often cautious about backward compatibility—kept legacy endpoints available after deprecation, but with a firm July 2026 deadline those accommodations will end. For anyone still using Exchange Online via older POP3/IMAP4 clients, the practical next step is straightforward and time-bound: confirm the TLS capability of each client and, where necessary, upgrade or replace software and devices before July 2026 to avoid interrupted mail service.

Original story

Email SecurityEmerging ThreatsLegacy SystemsMicrosoftTransport Layer SecurityExchange OnlineTLS 1.0TLS 1.1DeprecationSecure Communication Protocols
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207