Microsoft announced that from July 2026 it will stop accepting TLS 1.0 and 1.1 connections for POP3 and IMAP4 customers in Exchange Online, a measure that closes a chapter of compatibility with obsolete protocols and is part of a greater effort to reduce attack vectors in the cloud email. This is not a cosmetic change: the connections using TLS 1.0 / 1.1 will simply fail, so any client or device that depends on these versions will no longer be able to access the mailbox.
TLS 1.0 was born in 1999 and TLS 1.1 in 2006; for years, weaknesses have been known and better alternatives have been developed (TLS 1.2 and 1.3). The industry has been moving to TLS 1.2 + including public commitments from manufacturers and browsers since 2018, and Microsoft already documents this step in its technical release for Exchange Online; you can read the details in the official Microsoft blog here: Deprecating legacy TLS and endpoints for POP and IMAP.
The good news is that most users should not be affected: most of the POP / IMAP traffic to Exchange Online already uses TLS 1.2 or higher and modern customers support it. The bad news is that there are embedded devices, legal services and custom applications(printers, scanners, register boxes, old software, outdated OpenSSL / Curl libraries) that still use old stacks and could be interrupted. Microsoft has published specific guidance for those who still use endpoints legacy; that technical guide is in its documentation: Opt-in Exchange Online endpoint for legacy TLS.
From the operational point of view, the real impact will be the fall of old TLS sessions: customers will get connection errors rather than degraded deliveries. That means service interruption and potential loss of productivity if you do not act in time. In addition, maintaining old versions of TLS increases the risk of attacks by cryptographic and channel security vulnerabilities, thus excluding these protocols reduces exposure to known risks.
If you manage environments with Exchange Online, start by identifying the dependencies. Check messages at Microsoft's management center and access records to detect customers using old versions of TLS; in parallel, check device inventories and cryptographic library versions (e.g. OpenSSL). Test tools like testssl.sh or command option s _ client serve to verify which versions and suites accept a client or server in internal tests. For official guidance on safe TLS configurations and government recommendations, NIST publication is a good starting point: NIST SP 800-52 Revision 2.
The specific actions to be prioritized are clear: first, to make an inventory of customers using POP / IMAP and to detect whether they depend on TLS 1.0 / 1.1; second, to update operating systems, mail customers and device firmware to obtain TLS 1.2 or 1.3 support; third, where possible, to migrate customers to modern protocols and APIs (e.g. MAPI on HTTP, EWS or Microsoft Graph with modern authentication) that also offer better controls and authentication based on OAuth. If you have embossed applications that cannot be updated, plan a safe replacement or gateway that will finish TLS 1.2 / 1.3 for them and talk to Exchange with compatible connections.
Do not leave all the preparation for the last minute: test changes in a controlled environment, communicate to users and hardware providers well in advance, and set a contingency plan for critical devices that must continue to operate until they are renewed. Document which customers migrated and keep evidence records for audit and support. If you do not know how to identify legacy customers, ask suppliers to confirm TLS compatibility and request a roadmap of updates.
Finally, consider this ad an opportunity to strengthen the security position: beyond updating TLS, check authentication (it avoids flat text credentials, adopts OAuth 2.0 where possible), strong encryption force and disables obsolete suites and protocols in your infrastructure. The transition to TLS 1.2 + is not just compliance: it is tangible risk reduction against interceptions and attacks on mail communication. If you need technical resources to run tests and plan migration, the above-mentioned Microsoft and NIST guides are reliable starting points.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...