Exchange Online Tightens Transport Security

• Exchange Online is adopting two protocols designed to help secure mail in transit against eavesdropping and forgery.
• Customers will need to make changes to take full advantage of the protocols.
• Rollout is gradual and will probably not finish until the end of 2022.

Organizations using Exchange Online might want to take advantage of new Exchange Online features rolling out in 2022 that could improve the security of mail in transit between servers over the Internet.

Addressing Mail Transport Security Risks

The new Exchange Online features address security limitations of Simple Mail Transfer Protocol (SMTP), the primary mail transport protocol used on the Internet.

SMTP allows transport to occur over encrypted connections to prevent attackers from viewing or modifying messages. However, encryption is optional and negotiated between servers for each connection. Attackers who can observe and modify network traffic between the servers can use the process to defeat encryption: for example, an attacker can interfere with negotiation to force servers to downgrade to an unencrypted connection, or an attacker can manipulate the Domain Name System (DNS) to impersonate the receiving server to ensure encryption uses a key known to the attacker.