Released: February 2019 Quarterly Exchange Updates

Today we are announcing the availability of quarterly servicing updates, cumulative and update rollups, for all supported versions of Exchange Server. Exchange Server 2010, 2013, 2016 and 2019 all receive an update package. These updates include important fixes to address vulnerabilities being discussed in blogs and other social media outlets. While it is not the…


Contextualizing Attacker Activity within Sessions in Exchange Online

Overview The Exchange audit log is an important tool in the defender toolbox to understand the activity of users (or attackers masquerading as users) in an organization. Defenders can manually browse through their audit logs for user activity that indicates malicious activity. These audit logs feed many first-party and third-party protect, detect, and investigate capabilities…


Disabling Basic authentication in Exchange Online – Public Preview Now Available

Several months ago we added a feature to the Microsoft 365 Roadmap which generated a lot of interest. The feature was named Disable Basic Authentication in Exchange Online using Authentication Policies and as the roadmap items stated – it provided the capability for an Admin to define protocols which should allow Basic Authentication. Why was…


MS11-025 required on Exchange Server versions released before October 2018

In the security advisories released on 10/09/2018, CVE-2010-3190 was updated to apply to Exchange Server. This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018. The Exchange team is aware that the installation program for Exchange Server is applying an unpatched version of a Visual Studio released…


Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

Overview In part 3 of our Exchange Server TLS Guidance series, we introduce how to turn off TLS 1.0 and 1.1 in your Exchange Server deployment. Turning off TLS 1.0 and 1.1 can be a highly disruptive event if not planned and executed properly. The Exchange team believes that it is time for the ecosystem…


Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

Overview In part 2 of our Exchange Server TLS Guidance series we focus on enabling and confirming TLS 1.2 can be used by your Exchange Servers for incoming and outgoing connections, as well as identifying any incoming connection which is not utilizing TLS 1.2. The ability to identify these incoming connections will vary by Windows…


Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Update: With the Office 365 deadline to have TLS 1.2 enabled being moved from March 2018 to October 2018 we have changed the timing of subsequent post releases; please see below! Overview As the realm of security in technology continues to evolve over time, every so often we say hello to newer and more competent…


Demystifying Certificate Based Authentication with ActiveSync in Exchange 2013 and 2016 (On-Premises)

Some of the more complicated support calls we see are related to Certificate Based Authentication (CBA) with ActiveSync. This post is intended to provide some clarifications of this topic and give you troubleshooting tips.What is Certificate Based Authentication (CBA)? Instead of using Basic or WIA (Windows Integrated Authentication), the device will have a client (user)…


Multi-Factor Authentication in Exchange and Office 365

Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise. Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured…


Certificate-Based Authentication (CBA) for Exchange Online

Update 6/6/2017: We updated this post to reflect availability for China plans. Update 7/28/2017: Updated with links for support with Outlook for iOS and Android. On-premises Exchange environments support the ability for certain mobile apps to utilize certificate-based authentication (CBA). Today, we are pleased to announce that CBA is available for customers using Office 365…