Microsoft will deprecate legacy TLS connections for POP and IMAP clients in Exchange Online starting July 2026. The move affects email clients still using outdated encryption protocols.
Microsoft announced it will begin blocking legacy TLS (Transport Layer Security) connections for POP and IMAP email protocols in Exchange Online from July 2026 onward.
The deprecation targets clients still relying on TLS 1.0 and TLS 1.1, which Microsoft considers security risks. Users and organizations with older email clients will need to upgrade to versions supporting TLS 1.2 or higher to maintain connectivity.
What's changing:
- POP and IMAP connections using TLS 1.0 and 1.1 will be blocked
- Affected clients must support minimum TLS 1.2
- Timeline begins July 2026
Who is affected:
Organizations running legacy email clients, particularly older versions of:
- Outlook for Windows and Mac
- Apple Mail
- Gmail clients
- Third-party email applications
Microsoft has emphasized the security necessity of this change. Legacy TLS versions contain known vulnerabilities that expose email communications to potential interception and compromise. The company previously deprecated TLS 1.0 and 1.1 for other Microsoft 365 services.
Recommended actions:
Organizations should audit their email client versions and plan upgrades accordingly. Microsoft recommends transitioning to modern email clients that support current TLS standards and modern authentication methods like OAuth 2.0.
This aligns with broader industry trends toward deprecating legacy protocols. Major email providers including Google and Apple have similarly phased out support for outdated TLS versions in recent years.
Microsoft will provide additional guidance and migration resources as the July 2026 deadline approaches. Organizations with large deployments of legacy systems should begin planning upgrades immediately to avoid service disruptions.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.