email security

Microsoft has disclosed CVE-2026-42897 as a Microsoft Exchange Server spoofing vulnerability in the May 2026 security cycle, with the advisory pointing administrators to Exchange Server as the affected product family and framing the issue as a confirmed security flaw rather than a speculative...

Microsoft said on April 30, 2026, that its threat intelligence teams detected about 8.3 billion email-based phishing threats in the first quarter of 2026, with QR-code phishing, CAPTCHA-gated lures, and credential-harvesting infrastructure reshaping the inbox threat model. The headline number is...

Exchange Online’s High Volume Email feature has reached General Availability, marking an important shift for organizations that need to send large amounts of internal email from applications, devices, and line-of-business systems without tripping the familiar Exchange sending ceilings. Microsoft...

The Exchange team’s notice about upcoming Graph API enforcement is more than a narrow permissions tweak: it is a deliberate tightening of how Microsoft wants applications to treat received email. Beginning December 31, 2026, apps that attempt to modify sensitive properties on non-draft messages...

Exchange Server turns 30 this year, and that milestone is more than a nostalgic footnote for Microsoft—it is a reminder that enterprise email still sits at the center of identity, compliance, security, and operational control. Microsoft’s own anniversary post frames Exchange as the product that...

Microsoft’s own cloud infrastructure is being abused in a way that should make every security team sit up straight: attackers are using Azure Monitor to send billing-themed phishing emails that look like genuine Microsoft notifications. The campaign stands out because it does not depend on crude...

Microsoft’s latest email security benchmark makes one thing plain: transparency without action delivers little — and the company is trying to close that loop by publishing telemetry, method updates, and ecosystem integrations designed to show how detection and remediation actually play out in...

Microsoft has added per‑connector control for SMTP DANE and MTA‑STS validation in Exchange Online outbound connectors, giving administrators explicit, granular settings to balance strict transport security with real‑world delivery reliability. Instead of a single enforcement posture for all...

Microsoft’s flagship workplace assistant, Microsoft 365 Copilot Chat, briefly read and summarized email messages that organizations had explicitly labeled Confidential, a logic error the company logged internally as service advisory CW1226324 and that has forced a re‑examination of how embedded...

A recent update to the classic Outlook desktop client triggered a high-impact interoperability bug that interrupted the handling of S/MIME-signed messages and Office Message Encryption (OME) protected email, producing confusing prompts and, in some cases, stripping digital signatures when...

Microsoft’s security team is celebrating a major analyst victory: Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant™ for Email Security, a designation Microsoft says underscores the maturity and reach of Microsoft Defender for Office 365 as organizations wrestle with...

This morning’s inbox flood — five obvious spam messages slipping straight into the primary view of an Outlook user — is not an isolated annoyance. It’s a live demonstration of where Microsoft’s email stack still fails everyday people: spam and phishing still reach the inbox, user trust erodes...

Microsoft’s recent clarifications around Direct Send and the related protection options in Exchange Online change the way administrators should think about mail routing, tenant exposure, and the controls available to prevent spoofing and unwanted anonymous mail that appears to originate from...

Attaching files in Outlook is one of those everyday tasks that feels trivial until it goes wrong — a “file too large” error, a missing image in a sent message, or a recipient locked out of a OneDrive link can turn a five‑minute chore into a support ticket. This feature guide consolidates the...

Microsoft’s free Windows 10 upgrade became a vehicle for a crop of convincing phishing emails that delivered file‑encrypting ransomware disguised as a legitimate installer, according to security researchers — a reminder that major platform announcements instantly become social‑engineering boons...

Microsoft’s Security Update Guide lists CVE-2025-55243 as a spoofing vulnerability in Microsoft OfficePlus that can lead to the exposure of sensitive information and enable an attacker to perform spoofing over a network, but key public mirrors and automated scrapers offer limited or inconsistent...

Microsoft has given a clear ultimatum to organizations still using the shared .onmicrosoft.com sending address: migrate to a verified custom domain or expect severe outbound throttling that will constrain external email to just 100 external recipients per organization in any 24‑hour rolling...

Microsoft is imposing a hard limit on outgoing email from free “.onmicrosoft.com” (MOERA) tenant domains to combat widespread abuse and protect delivery for legitimate Microsoft 365 customers, and the change — which takes effect in staged waves starting October 15, 2025 for trials — restricts...

Windows Live Mail’s built‑in spam controls — the Safety Options, Safe Senders/Recipients lists, Blocked Senders, international filters and message rules — can still give you effective inbox control, but only if you set them deliberately and understand their limits on modern Windows systems. This...

Microsoft’s security portal lists CVE-2025-25007 as a Microsoft Exchange Server spoofing vulnerability caused by improper validation of syntactic correctness of input, but public technical detail and third‑party analysis for this specific CVE remain sparse at the time of publication —...