La vulnérabilité CVE-2026-42897 affecte Exchange Server 2016, 2019 et SE. Découvrez les mesures d'urgence pour atténuer la menace sans patch officiel.

Le post Exchange Server – CVE-2026-42897 : cette faille zero-day est déjà exploitée ! a été publié sur IT-Connect.

Microsoft has released the Change Optics Report in public preview for Exchange Online. This new report, available in the Exchange Admin Center (EAC), identifies emails in your tenant that will be affected when Microsoft enforces an upcoming service change — before the change takes effect. Currently, it covers two scenarios: outbound mail sent from your default onmicrosoft.com domain, and incoming Direct Send traffic. This article explains what the report shows, how to access it, and what steps to take for each scenario.

Source

Microsoft announced on April 15, 2026, a second paid security update period—called "Period 2"—for Exchange Server 2016 and 2019. This extends coverage from May through October 2026 for organizations unable to complete their migration to Exchange Server Subscription Edition (SE). The program covers only security-related patches and requires a separate purchase via a Microsoft Enterprise Agreement. This article explains what the program includes, who qualifies, and the practical limitations.

Source

Microsoft announced a breaking change to the Microsoft Graph API affecting Exchange Online: from December 31, 2026, applications that modify sensitive email properties -- such as the subject, body, or recipients -- on delivered messages must hold elevated Mail-Advanced.ReadWrite permissions. Until now, the standard Mail.ReadWrite permission was sufficient for these operations. The new permissions require explicit approval from the tenant administrator ("admin consent"). If you operate Microsoft 365 and have custom applications or third-party tools that interact with email via the Graph API, you need to audit and potentially update these apps before the enforcement date.

Source

Exchange Online now lets you choose, per outbound connector, whether SMTP DANE and MTA-STS are enforced opportunistically, mandatorily (for DANE), or not at all. These new connector modes give you granular control over how strictly Exchange Online enforces modern email security standards when sending mail to external domains.

Source

Microsoft is developing Priority Cleanup V2, an updated data-purging feature in Microsoft Purview that deletes Exchange Online mailbox content even when protected by retention policies or eDiscovery holds. This proposed version is designed to reduce the number of approval stages from three to two, accelerate deletion from days to hours, and introduce batch-processing safeguards.

Source

Microsoft has announced that moderation approvals in Exchange Online are transitioning from voting buttons to Actionable Messages Adaptive Cards, bringing Approve | Reject buttons directly into email bodies. This update enables moderators to approve or reject messages from any Outlook client, including Windows, macOS, web, and mobile. The rollout begins in late February 2026 and concludes by early April 2026 for Worldwide and GCC environments. The legacy voting button method remains available until July 31, 2026, after which Actionable Messages Adaptive Cards will be the only supported method.

Source

Microsoft announced on February 12, 2026, a significant change to its Exchange Online PowerShell module: the deprecation of the -Credential parameter for the Connect-ExchangeOnline cmdlet. This change represents part of a broader initiative to enhance security across Microsoft 365 administrative interfaces by eliminating authentication methods that do not support multifactor authentication.

Source

Microsoft is retiring Exchange Web Services (EWS) in Exchange Online, with a phased shutdown beginning October 1, 2026, and complete retirement by April 1, 2027. You must migrate your applications to the Microsoft Graph API before the final deadline to maintain access to Exchange Online mailboxes. This retirement only affects Exchange Online in Microsoft 365 environments and does not impact on-premises Exchange Server installations. Organizations using EWS-dependent applications face service interruptions unless they transition to supported alternatives. The nearly 20-year-old protocol no longer meets modern security, scale, and reliability requirements.

Source

Microsoft has introduced the Microsoft Graph User Configuration API that enables you to manage custom settings and configuration data for user mailboxes in Exchange Online. This preview API provides full CRUD (create, read, update, delete) operations for user configuration objects, allowing you to store application state, settings, and metadata associated with specific mail folders. This guide shows you how to access and use this API with PowerShell.

Source