Microsoft will deprecate legacy TLS connections for POP and IMAP clients in Exchange Online starting July 2026. The move affects email clients still using outdated encryption protocols.
Microsoft announced it will begin blocking legacy TLS (Transport Layer Security) connections for POP and IMAP email protocols in Exchange Online from July 2026 onward.
The deprecation targets clients still relying on TLS 1.0 and TLS 1.1, which Microsoft considers security risks. Users and organizations with older email clients will need to upgrade to versions supporting TLS 1.2 or higher to maintain connectivity.
What's changing:
- POP and IMAP connections using TLS 1.0 and 1.1 will be blocked
- Affected clients must support minimum TLS 1.2
- Timeline begins July 2026
Who is affected:
Organizations running legacy email clients, particularly older versions of:
- Outlook for Windows and Mac
- Apple Mail
- Gmail clients
- Third-party email applications
Microsoft has emphasized the security necessity of this change. Legacy TLS versions contain known vulnerabilities that expose email communications to potential interception and compromise. The company previously deprecated TLS 1.0 and 1.1 for other Microsoft 365 services.
Recommended actions:
Organizations should audit their email client versions and plan upgrades accordingly. Microsoft recommends transitioning to modern email clients that support current TLS standards and modern authentication methods like OAuth 2.0.
This aligns with broader industry trends toward deprecating legacy protocols. Major email providers including Google and Apple have similarly phased out support for outdated TLS versions in recent years.
Microsoft will provide additional guidance and migration resources as the July 2026 deadline approaches. Organizations with large deployments of legacy systems should begin planning upgrades immediately to avoid service disruptions.
Microsoft has released a patch for a zero-day vulnerability in Windows Defender that could allow attackers to exhaust hard disk space. The flaw was discovered and reported by security researcher NightmareEclipse.
A software defect from 2006 triggered a cascading network failure that knocked out Telstra's national phone service Wednesday morning. The bug, related to daylight savings time processing, created a 'digital domino chain' that locked customers out across the country.
The EU Parliament is advancing legislation that would require tech companies to scan for child sexual abuse material (CSAM), reviving a proposal rejected in March. End-to-end encrypted services like WhatsApp would be exempt from the requirements.
Hackers compromised the Injective Labs SDK repository on GitHub and published a malicious package to npm that steals cryptocurrency wallet private keys and seed phrases from developers.