Find notable cyber news and cases, enriched with sources, timelines, and signals.

Exchange Online Exchange ActiveSync 16.1 cutoff

Advisory/Mitigation
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft will block Exchange Online access for Exchange ActiveSync devices below 16.1, forcing administrators to update legacy mobile email clients before March 1, 2026. The change affects native email apps on mobile devices, while Outlook Mobile and on-premises Exchange Server are not impacted. Microsoft is also giving admins a PowerShell method to identify outdated devices ahead of the rollout.

Related Happenings

Microsoft Exchange Online mail flow disruption

Service Disruption
H score25 First: 02.06.2026 20:02 Last: 02.06.2026 20:02 Sources 1

About this happening: Microsoft is addressing a **widespread Exchange Online service disruption** that is delaying and failing email delivery for customers across **North America** and **Germany**. The...

Microsoft Exchange CVE-2026-42897 mitigation advisory

Advisory/Mitigation
H score44 First: 15.05.2026 12:40 Last: 15.05.2026 12:40 Sources 1

About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...

Latest development: 15.05.2026 15:35

Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.

Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)

Vulnerability
H score37 First: 15.05.2026 09:19 Last: 15.05.2026 09:19 Sources 1

About this happening: **CVE-2026-42897** is an **actively exploited** **spoofing** vulnerability in **on-premises Microsoft Exchange Server** that can lead to **arbitrary JavaScript execution** in a br...

Latest development: 09.06.2026 20:57

Microsoft identifies CVE-2026-42897 in Microsoft Exchange Server as an actively exploited spoofing vulnerability that can lead to JavaScript execution in a target’s browser when a specially crafted email is opened in Outlook Web Access under certain interaction conditions. Microsoft says mitigations are being pushed through the Exchange Emergency Mitigation Service while it continues work on the full update.

Microsoft Windows 365 Office installation disruption

Service Disruption
H score0 First: 13.05.2026 14:53 Last: 13.05.2026 14:53 Sources 1

About this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....

Microsoft Exchange Online blocks legacy TLS for POP3 and IMAP4 starting July 2026

Security Tool/Service
H score11 First: 28.04.2026 16:18 Last: 28.04.2026 16:18 Sources 1

About this happening: **Microsoft** will block **TLS 1.0** and **TLS 1.1** for **POP3/IMAP4** access to **Exchange Online** in **July 2026**, which could break legacy mail clients and embedded devices...

Timeline

  1. 16.12.2025 14:53 2 articles · 6mo ago

    Microsoft announces Exchange Online EAS cutoff

    Initial Disclosure

    Microsoft announces that Exchange Online will block mobile devices running Exchange ActiveSync versions below 16.1 starting March 1, 2026, and tells administrators to identify older devices with a PowerShell report, update devices and applications, and verify that Outlook Mobile and on-premises Exchange Server are not affected.

    Show sources
  2. 16.12.2025 14:53 1 articles · 6mo ago

    Exchange Online blocks EAS below 16.1

    Mitigation Patch Update

    Exchange Online begins refusing connections from mobile devices running Exchange ActiveSync versions lower than 16.1, affecting native email apps on phones and tablets while leaving Outlook Mobile and on-premises Exchange Server unaffected.

    Show sources