Exchange Online Tamper Protections Arriving in 2024 -- Redmondmag.com

Exchange Online Tamper Protections Arriving in 2024

Organizations will need to use new Exhange Online subdomains with the coming changes.

By Kurt Mackie
09/28/2023

Microsoft on Wednesday gave notice that its Exchange Online e-mail tamper protections are planned for completion in 2024, which may entail some backend changes by IT departments.

Essentially, Microsoft is turning on two security protocol enhancements for Exchange Online, namely the Domain Name System (DNS)-based Authentication of Named Entities (DANE) for SMTP, as well as Domain Name System Security Extensions (DNSSEC). Both additions are intended to thwart adversary attacks.

DANE for SMTP verifies certificates "used for securing email communication with TLS [Transport Layer Security]," protecting against "TLS downgrade attacks." DNSSEC, on the other hand, "provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS," the announcement explained.

Last year, Microsoft had announced that those two security protocols were being enabled for outbound e-mails using Exchange Online. The outbound enablement "has been supported since March 2022," the announcement explained.

The coming 2024 security protocol additions to Exchange Online will be for inbound e-mails, competing Microsoft's security upgrades, the Wednesday announcement explained. When the addition of these protocols is completed, new "A record" domains used with Exchange Online will get switched to the new subdomains, labeled "mx.microsoft."

This change to mx.microsoft will start in "March 2024" as an opt-in public preview. General availability is targeted for July 2024. Microsoft will gradually switch new A records to the new mx.microsoft subdomains in subsequent months, with completion expected in Dec. 2024:

"Between July and December 2024, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft," the announcement indicated.

"Accepted Domains" are the SMTP namespaces that are used to receive e-mails, per Microsoft's definition.

IT department will need to take action if they have hard-coded the current "mail.protection.outlook.com" domain for their A records, the announcement cautioned. Organizations should also check if they have autoprovisioning processes that may reference the mail.protection.outlook.com domain that will get changed to mx.microsoft.

The announcement suggested that "Microsoft 365 Admin Center and/or Exchange PowerShell" migration tooling to help organizations with this change would be available in March. Microsoft also plans to release a wizard that can be used to migrate "DNS records to DNSSEC-secured domains" for "accepted domains created before July 2024."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.