Back to News

Exchange CVE-2026-42897 — OWA XSS Zero-Day Actively Exploited: The Microsoft 365 Patch Plan Every UK SME on On-Premises Exchange Must Run This Week

Exchange CVE-2026-42897 — OWA XSS Zero-Day Actively Exploited: The Microsoft 365 Patch Plan Every UK SME on On-Premises Exchange Must Run This Week

On 4 July 2026, any UK business still running on-premises Microsoft Exchange faces a decision that has quietly changed shape. CVE-2026-42897 — a cross-site scripting (XSS) zero-day in Exchange Server’s Outlook Web Access (OWA) — has been actively exploited since the middle of May 2026, was added to CISA’s Known Exploited Vulnerabilities catalogue, and carries a Microsoft-assigned CVSS score of 8.1. It requires no attacker privileges and no stolen credentials: an attacker sends a single crafted email, the recipient opens it in OWA, and arbitrary JavaScript runs in that user’s browser session. Session hijacking, spoofing and credential theft all follow from there.

Microsoft shipped the fix in its June 2026 Exchange Server Security Update, released on 9 June 2026. But the harder news is structural. From July 2026, Exchange servers not updated to that June Security Update can no longer receive new Emergency Mitigation Service (EEMS) configuration files — the automatic, cloud-delivered defences Microsoft pushes when the next zero-day lands. Exchange Server 2016 and 2019 have been out of mainstream support since October 2025, and post-May 2026 updates now require paid Extended Security Update enrolment. This confluence — live exploit, loss of automatic mitigations, and out-of-support on-premises versions — is the clearest signal yet that migrating to Exchange Online and Microsoft 365 is no longer a “someday” project for UK SMEs. This article sets out exactly what CVE-2026-42897 is, why it matters, and the 10-step Microsoft 365 migration plan every UK SME on legacy Exchange should run this week.

8.1
CVSS score (Microsoft) for CVE-2026-42897 — remote, no privileges required
9 Jun
Date the June 2026 Exchange Security Update shipped the fix
Jul 2026
Servers not on the June SU stop receiving new EEMS mitigation files
0
Action required for Exchange Online / Microsoft 365 tenants — already protected

What CVE-2026-42897 actually is — and why the score matters

CVE-2026-42897 is a stored cross-site scripting vulnerability in Outlook Web Access, the browser-based mail client that ships with on-premises Exchange Server. XSS is one of the oldest classes of web vulnerability — it sits in the OWASP Top 10 and has done for two decades — but its persistence in enterprise mail is exactly the point. As one Dark Reading analyst put it bluntly, “XSS still owns enterprise mail in 2026”. The reason is that webmail is, by design, a system that renders untrusted content (email from anyone) inside a trusted, authenticated browser session. When the sanitisation of that content fails, the attacker’s code inherits the victim’s session.

The attack chain is disarmingly simple. An attacker crafts an email containing a malicious payload that survives OWA’s content filtering. The email is delivered to a target mailbox. When the user opens it in OWA, the embedded JavaScript executes in the browser context — with the user’s authenticated Exchange session. From that position, the attacker can read and exfiltrate mailbox contents, hijack the OWA session token, impersonate the user to send spoofed internal email, and harvest credentials through convincing in-session phishing. Because the code runs as the legitimate user, it can bypass many perimeter controls that assume traffic inside an authenticated session is trustworthy.

There is an important scoring nuance UK IT leaders must not miss. NIST’s National Vulnerability Database scored CVE-2026-42897 at 6.1 (medium), while Microsoft scored it at 8.1 (high). The gap reflects different assumptions about the deployment context and the realistic impact of session compromise in an enterprise mail environment. For enterprise risk decisions, use Microsoft’s 8.1 score — Microsoft has visibility into how the flaw behaves in real Exchange deployments, and CISA’s decision to add the CVE to its KEV catalogue confirms that the practical risk is closer to the higher figure. Treating this as a “medium” because NVD said so is precisely the kind of scoring complacency attackers rely on.

The patch existed since 9 June — the exposure is now about what happens next

Microsoft fixed CVE-2026-42897 in the June 2026 Exchange Server Security Update on 9 June 2026. Any organisation that applied it within the NCSC’s recommended 14-day window for high-severity flaws was protected by late June. The larger problem is forward-looking: from July 2026, Exchange servers that are not on the June 2026 SU can no longer receive new EEMS configuration files. EEMS is the mechanism Microsoft uses to auto-apply emergency interim mitigations (it applied mitigation M2.1.0 for this very flaw to connected servers). Falling off EEMS means that when the next Exchange zero-day appears — and history says it will — your server will not receive the automatic stopgap protection while you scramble to test and deploy a patch. That is a permanent downgrade of your security posture, not a one-off miss.

How the Exchange zero-day unfolded — a chronology

CVE-2026-42897 did not appear from nowhere. It follows a now-familiar rhythm: quiet exploitation, a scheduled patch, public disclosure, KEV listing, and a hard deadline that separates the maintained from the exposed. The timeline below sets out the sequence UK IT teams need to understand.

Mid-May 2026 — Active exploitation begins in the wild
Attackers begin exploiting CVE-2026-42897 against on-premises Exchange OWA deployments before any advisory is public. Because the attack requires only a crafted email opened in OWA, exploitation is low-friction and hard to distinguish from ordinary inbound mail. This is the definition of a zero-day: exploitation preceding disclosure, giving defenders no warning window.
9 June 2026 — Microsoft ships the June 2026 Exchange Security Update
Microsoft releases the June 2026 Exchange Server Security Update, which remediates CVE-2026-42897 across the affected builds: Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition (SE) RTM. The Emergency Mitigation Service auto-applies interim mitigation M2.1.0 to connected servers as an immediate stopgap for organisations that cannot patch instantly.
Mid-June 2026 — CISA adds CVE-2026-42897 to the KEV catalogue
The US Cybersecurity and Infrastructure Security Agency adds the vulnerability to its Known Exploited Vulnerabilities catalogue, formally confirming active exploitation and setting remediation deadlines for US federal agencies. A KEV listing is the strongest public signal that a flaw is not theoretical: it is being used against real organisations right now, and CISA advises all organisations — not just federal agencies — to prioritise it.
Late June 2026 — NCSC 14-day window closes for on-time patchers
The NCSC recommends patching high-severity vulnerabilities within 14 days, a window that Cyber Essentials v3.3 codifies as a hard requirement for critical and high-severity flaws. Organisations that applied the June SU within two weeks of the 9 June release were compliant and protected. Those that did not are now both non-compliant against their own certification and structurally exposed to a live exploit.
Ongoing — Period 2 ESU billing runs May to October 2026
Because Exchange Server 2016 and 2019 left mainstream support in October 2025, security updates in the Period 2 Extended Security Update window (May–October 2026) are only delivered to organisations that have paid for ESU enrolment. The June 2026 SU sits inside this paid window — meaning some organisations running legacy Exchange discover the fix is not available to them unless they have taken the extra enrolment step and cost.
July 2026 — EEMS cut-off for un-updated servers
From July 2026, Exchange servers not on the June 2026 Security Update stop receiving new EEMS configuration files. This is the decisive structural change: an unpatched, EEMS-disconnected Exchange server no longer benefits from Microsoft’s automatic emergency mitigations for future zero-days. The server is on its own the next time a critical flaw is disclosed.
4 July 2026 — Today: the decision point
Nearly four weeks after the patch and past the EEMS cut-off, any UK SME still on legacy on-premises Exchange without the June SU is exposed to an actively exploited flaw and cut off from future automatic mitigations. The immediate instruction — apply the June SU (with ESU enrolment where needed) — is obvious. The strategic question is whether it makes sense to keep pouring cost and risk into an out-of-support on-premises platform when Exchange Online was never affected in the first place.

Why the impact of an OWA session compromise is so high

To communicate the urgency to non-technical stakeholders, it helps to itemise what an attacker actually gains from arbitrary JavaScript execution inside an authenticated OWA session. The bar chart below ranks the practical impact categories of a successful CVE-2026-42897 exploitation, from the most immediately damaging to the more secondary consequences.

OWA session token hijacking (full mailbox access as the user)
Highest impact
Credential theft via in-session phishing overlays
Very high impact
Internal email spoofing / impersonation (CEO fraud)
Very high impact
Mailbox data exfiltration (contracts, PII, financial data)
High impact
Inbox rule manipulation for persistence & forwarding
High impact
Lateral movement to other internal web applications
Significant impact
Reconnaissance of the global address list & org structure
Moderate impact

The most dangerous of these is the combination of session hijacking and internal impersonation. Once an attacker can send email as a legitimate internal user — particularly a finance or executive account — they can run business email compromise (BEC) and invoice-fraud attacks that bypass the scepticism external phishing usually triggers. An email genuinely originating from your finance director’s real mailbox, sent from inside your own Exchange server, is extraordinarily difficult for staff and even for automated controls to flag. That is why an 8.1 “webmail XSS” translates in practice into a direct path to financial and data loss.

How many UK organisations are still exposed?

Microsoft does not publish a live figure for on-premises Exchange adoption in the UK SME market, and patch-adoption rates for Exchange Security Updates are notoriously lagging because SU deployment requires maintenance windows, cumulative-update prerequisites, and post-install validation. The donut below reflects a best-estimate of the share of on-premises Exchange installations still not on the June 2026 SU several weeks after release, based on historical Exchange patch-adoption benchmarks.

35%
Estimated share of on-premises Exchange installations still not on the June 2026 SU several weeks after release — the population now exposed to CVE-2026-42897 and cut off from new EEMS mitigations (industry benchmark; Microsoft does not publish adoption rates)

Exchange Security Update adoption has historically trailed release by weeks or months. A 30–40% un-updated share several weeks post-release is consistent with prior Exchange SU cycles — and each of those un-updated servers is now both exploitable and disconnected from future automatic mitigation. Crucially, this exposure is concentrated in exactly the organisations least equipped to respond: UK SMEs without a dedicated in-house Exchange administrator, often running Exchange 2016 or 2019 on ageing hardware, frequently unaware that ESU enrolment is now required to receive the fix at all.

The on-premises Exchange exposure grid — score yourself

Not every on-premises Exchange installation carries the same risk. The scorecard below sets out the eight factors that determine whether an organisation is at immediate risk from CVE-2026-42897, at risk from the EEMS cut-off and the next zero-day, or structurally cornered by out-of-support versions.

CVE-2026-42897 & legacy Exchange exposure assessment
OWA published to the internet and June 2026 SU not applied High
Running Exchange 2016 / 2019 without Period 2 ESU enrolment High
EEMS disconnected or disabled — no automatic mitigations High
No documented 14-day patching SLA for high-severity flaws High
CVE-2026-42897 interim mitigations removed after patching Mid
No OWA access-log review for anomalous sessions since mid-May Mid
Exchange server not network-segmented from general systems Mid
No migration plan to Exchange Online or Exchange SE Low

Any organisation scoring High on the first two rows is exposed right now: an internet-published OWA on an unpatched, un-enrolled legacy Exchange server is a direct target for an actively exploited flaw. But the more strategically important row is the last one. An organisation without a migration plan is not merely exposed to this CVE — it is committing to absorb every future Exchange zero-day on an out-of-support platform that is losing its automatic safety net.

The cost of staying on-premises versus moving to Microsoft 365

The direct and indirect costs of remaining on legacy on-premises Exchange have shifted sharply now that mainstream support has ended. The table below shows indicative annual cost and risk bands for UK organisations of different sizes, comparing the true cost of keeping legacy Exchange running against the managed-migration alternative.

Organisation size Typical legacy Exchange annual cost (hardware, ESU, admin, risk) Indicative breach exposure if OWA exploited Managed Microsoft 365 migration outlook
Micro (1–10 staff) £3,000–£8,000 incl. ESU & ageing hardware £10,000–£40,000 (BEC fraud, recovery, downtime) Per-mailbox migration, days not weeks; ongoing M365 licensing
Small (10–50 staff) £8,000–£20,000 incl. ESU, server refresh, patch labour £40,000–£150,000 (data exfiltration, ICO exposure) Batch mailbox migration over 1–3 weekends; zero-downtime cutover
Mid-market (50–250 staff) £20,000–£60,000 incl. redundant servers, DR, ESU £150,000–£750,000 (multi-account compromise, reputational) Phased or hybrid migration; unified GAL and free/busy during cutover
Large (250–1,000 staff) £60,000+ incl. multi-site Exchange estate & specialist staff £500,000+ (regulatory, forensic, supply-chain trust damage) Staged Exchange hybrid migration with runbook and dedicated PM

These figures exclude the harder-to-quantify costs: the management attention consumed by every emergency Exchange patch weekend, the recruitment difficulty of retaining Exchange administrators as the platform shrinks, and the opportunity cost of running mail infrastructure at all when it delivers no competitive advantage. Exchange Online was never affected by CVE-2026-42897 — Microsoft patched the service centrally before most tenants were aware there was an issue. That single fact reframes the economics: the premium you pay for on-premises Exchange increasingly buys you more risk and operational burden, not more control.

Reactive on-premises Exchange versus a proactive Microsoft 365 posture

Reactive posture

What most UK SMEs on legacy Exchange do today

  • Apply Exchange Security Updates weeks or months late, pending a maintenance window
  • Discover ESU enrolment is required only when the patch will not install
  • OWA published directly to the internet with no WAF in front
  • Rely on EEMS auto-mitigation without confirming the server is still connected
  • No OWA session or access-log review between incidents
  • Every Exchange zero-day handled as a weekend emergency
  • Ageing on-premises hardware carrying single points of failure
  • No documented CE v3.3 14-day patching SLA for mail infrastructure

Proactive posture

Where Cloudswitched Cloud Email takes you

  • Mail platform patched centrally by Microsoft — no server SU weekends
  • No ESU cost, no end-of-support cliff, no hardware refresh cycle
  • Exchange Online Protection, ATP anti-phishing and DLP built in
  • SPF, DKIM and DMARC configured and maintained as standard
  • Conditional access, MFA and session controls on every mailbox
  • Zero-days handled by the vendor before most tenants are aware
  • 99.9% cloud uptime SLA with no single on-premises point of failure
  • CE v3.3 patching evidence trail maintained as a managed service

The 10-step Microsoft 365 migration plan every UK SME should run this week

This plan does two things at once. Steps 1–4 close the immediate CVE-2026-42897 exposure on your existing on-premises Exchange — because you must be safe today regardless of your longer-term direction. Steps 5–10 lay out a controlled, zero-downtime migration to Exchange Online and Microsoft 365, so that this is the last Exchange zero-day you ever have to firefight. Cloudswitched has delivered 200+ Microsoft 365 migrations and moved 20,000+ users, and this is the structure we follow.

Step 1 — Confirm June 2026 SU status on every Exchange server (and ESU enrolment)
Day 0 — Immediate
Step 2 — Verify EEMS is connected and mitigation M2.1.0 is (or was) applied
Day 0
Step 3 — Review OWA access logs for anomalous sessions since mid-May 2026
Day 0–1
Step 4 — Apply the June SU (with ESU) and keep CVE-2026-42897 mitigations in place
Day 1–3
Step 5 — Provision the Microsoft 365 tenant and map mailboxes, licences and roles
Day 3–7
Step 6 — Configure SPF, DKIM, DMARC, MFA and conditional access before cutover
Day 5–10
Step 7 — Run parallel mail routing and batch-migrate mailboxes with verification
Day 7–21
Step 8 — Switch MX records only after every mailbox is migrated and validated
Day 14–28
Step 9 — Add Microsoft 365 backup and decommission the on-premises Exchange server
Day 21–35
Step 10 — Establish ongoing M365 management, licence optimisation and CE v3.3 evidence
Ongoing

Steps 1–4 are non-negotiable and must happen this week whatever else you decide — an actively exploited flaw does not wait for a migration project. Steps 5–10 turn a defensive scramble into a strategic exit: the point at which mail stops being infrastructure you own, patch and worry about, and becomes a managed service the vendor secures on your behalf. Step 8 is the one to respect above all — the MX cutover happens only after every mailbox is migrated and verified, which is what makes a zero-downtime migration possible.

16%
Estimated share of legacy on-premises Exchange SMEs with a documented, in-progress migration to Exchange Online — leaving the large majority absorbing every future zero-day on an out-of-support platform
Practical tip: keep the CVE-2026-42897 mitigations in place even after you patch

Microsoft’s guidance for this flaw is explicit and easy to overlook: keep the CVE-2026-42897 mitigations applied even after installing the June 2026 Security Update. Administrators frequently remove interim mitigations once the “real” patch is in, on the assumption the mitigation is now redundant. For this vulnerability, Microsoft recommends leaving them in place as defence-in-depth. If you cannot apply the June SU immediately — for example, because your Exchange 2016/2019 estate is not yet ESU-enrolled — then, as a temporary measure, restrict internet access to OWA to trusted networks or place a web application firewall in front of it while you complete enrolment and patching. This is a stopgap, not a fix: the durable answer is to remove the on-premises OWA attack surface entirely by migrating to Exchange Online.

What the Exchange pattern tells UK businesses about mail security in 2026

CVE-2026-42897 is not an isolated incident but part of a sustained pattern of on-premises Microsoft server software being targeted through 2025 and 2026 — from Exchange and SharePoint to the wider Patch Tuesday volume UK IT teams now face every month. The common thread is that internet-exposed, on-premises enterprise servers are among the highest-value targets available to threat actors, precisely because so many organisations run them out-of-support, under-patched and under-monitored. The 43% of UK businesses that reported a breach in the last 12 months (Cyber Security Breaches Survey 2025/2026) are disproportionately those still carrying legacy infrastructure they cannot patch fast enough.

The strategic implication for UK SMEs is that mail is no longer a workload worth self-hosting. The three forces converging on legacy Exchange — active exploitation, the EEMS cut-off, and the end of mainstream support with paid-only ESU — will not reverse. Each is a one-way door. Microsoft’s own recommended paths are to upgrade to Exchange Server Subscription Edition or migrate to Exchange Online; for the overwhelming majority of UK SMEs, Exchange Online is the lower-cost, lower-risk destination, with security updates applied centrally, Exchange Online Protection built in, and no hardware or ESU liability. CVE-2026-42897 is best understood not as a patch to apply but as a prompt to act on a migration many UK SMEs have deferred for years.

At-a-glance reference: CVE-2026-42897 key facts

Attribute Detail
CVE identifier CVE-2026-42897
Vulnerability type Cross-site scripting (XSS) in Outlook Web Access (OWA)
CVSS score 8.1 high (Microsoft) — use this figure; NIST NVD scored 6.1 medium
Privileges required None — remote, attacker sends a crafted email opened in OWA
Affected products Exchange Server 2016 CU23, 2019 CU14/CU15, Exchange SE RTM
Not affected Exchange Online / Microsoft 365 — already protected, no action needed
Patch June 2026 Exchange Server Security Update, released 9 June 2026
Interim mitigation EEMS mitigation M2.1.0 — keep applied even after patching
Active exploitation Since mid-May 2026; added to CISA KEV catalogue
Key deadline July 2026 — servers not on June SU stop receiving new EEMS files
Support status Exchange 2016/2019 out of mainstream support since October 2025; Period 2 ESU (May–Oct 2026) costs extra
UK compliance angle NCSC 14-day patching guidance; Cyber Essentials v3.3 14-day SLA; ICO 72-hour breach notification

Related articles from the Cloudswitched news series

CVE-2026-42897 sits within a broader 2026 pattern of on-premises enterprise software being exploited faster than UK SMEs can patch it. Our recent briefings connect directly: the SharePoint CVE-2026-45659 RCE exploit is the same story on Microsoft’s other flagship on-premises server — a critical flaw exploited within weeks of patching; the June 2026 Patch Tuesday (206 CVEs) shows the sheer volume of patch work that produces the 30–40% un-updated lag legacy Exchange servers fall into; the Oracle EBS CVE-2026-46817 payments exploit demonstrates the identical patch-diff reverse-engineering pattern on enterprise ERP; the Cyber Security and Resilience Bill sets out the tightening UK regulatory backdrop that makes documented 14-day patching non-optional; and the Scattered Spider TfL conviction illustrates how session and credential compromise — exactly what an OWA XSS enables — underpins the most damaging UK breaches. For the strategic view, the £2.5bn JLR cyberattack resilience plan shows the board-level cost of infrastructure that cannot be secured fast enough.

Still running on-premises Exchange? This is the moment to plan your exit.

CVE-2026-42897 is actively exploited, and from July 2026 un-updated Exchange servers no longer receive Microsoft’s automatic EEMS mitigations. Cloudswitched Cloud Email with Microsoft 365 has delivered 200+ managed migrations and moved 20,000+ users — with zero-downtime cutover, full SPF/DKIM/DMARC configuration, and no more Exchange patch weekends.

Talk to us about Cloud Email with Microsoft 365

Frequently asked questions

What exactly is CVE-2026-42897 and which Exchange versions are affected?
CVE-2026-42897 is a cross-site scripting (XSS) vulnerability in Outlook Web Access, the browser-based mail client that ships with on-premises Microsoft Exchange Server. Microsoft assigned it a CVSS score of 8.1 (high). An attacker sends a specially crafted email; when the recipient opens it in OWA, arbitrary JavaScript executes in the user’s authenticated browser session, enabling session hijacking, spoofing and credential theft. It affects Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition (SE) RTM. Exchange Online and Microsoft 365 are not affected — those services were protected centrally by Microsoft.
We use Microsoft 365 / Exchange Online. Do we need to do anything?
No action is required for CVE-2026-42897 specifically. Exchange Online is already protected — Microsoft patched the service centrally, so cloud tenants were never exposed to this flaw. This is one of the clearest illustrations of the security advantage of cloud email: the vulnerability was remediated for hosted mailboxes before most administrators were even aware of it, with no maintenance window, no patch testing and no risk of falling behind. If you are on Microsoft 365, the value of this article is as evidence for any remaining on-premises systems you are considering migrating.
Why does Microsoft score this 8.1 when NIST scored it 6.1?
Scoring differences arise because CVSS is calculated from assumptions about the attack context and the realistic impact. NIST’s National Vulnerability Database scored CVE-2026-42897 at 6.1 (medium), while Microsoft scored it 8.1 (high). Microsoft has direct visibility into how the flaw behaves inside real Exchange deployments, and the higher score reflects the practical severity of session compromise in enterprise mail. For enterprise risk decisions you should use Microsoft’s 8.1 figure. CISA’s decision to add the CVE to its Known Exploited Vulnerabilities catalogue confirms that the real-world risk is high, not medium — treating it as a “medium” would be exactly the scoring complacency attackers exploit.
What is EEMS and why does the July 2026 cut-off matter?
The Emergency Mitigation Service (EEMS) is a feature of on-premises Exchange that lets Microsoft push automatic, cloud-delivered interim mitigations to your server when a serious threat emerges — buying time before you can fully test and deploy a patch. For CVE-2026-42897, EEMS auto-applied mitigation M2.1.0 to connected servers. The critical change is that from July 2026, Exchange servers not updated to the June 2026 Security Update can no longer receive new EEMS configuration files. In plain terms: if you fall behind on updates, you also lose your automatic safety net for the next zero-day. That is a permanent reduction in your protection, which is why the cut-off is as significant as the CVE itself.
We run Exchange 2016 or 2019. Can we even get the June 2026 patch?
Only if you are enrolled in Extended Security Updates. Exchange Server 2016 and 2019 left mainstream support in October 2025. Security updates in the Period 2 ESU window (May–October 2026) — which includes the June 2026 Security Update — are only delivered to organisations that have paid for ESU enrolment. Many SMEs discover this only when the patch fails to install. This is a strong signal in its own right: you are now paying extra for security updates on a platform Microsoft is winding down. The June SU will protect you against this specific flaw, but the ESU requirement, the EEMS cut-off and the end of mainstream support together make a compelling case to migrate to Exchange Online rather than keep paying to defend an end-of-life platform.
Should we remove the mitigations after we install the June Security Update?
No. Microsoft’s guidance for CVE-2026-42897 is to keep the mitigations in place even after installing the June 2026 Security Update. This is unusual — administrators typically remove interim mitigations once the full patch is applied — but for this flaw Microsoft recommends retaining them as defence-in-depth. Removing them prematurely could reintroduce exposure. If your change-management process automatically strips interim mitigations post-patch, make an explicit exception for this CVE and document it, so a routine clean-up does not undo your protection.
How would we know if we have already been exploited?
Exploitation of an OWA XSS flaw leaves subtle signs rather than obvious ones. Review OWA and Exchange access logs from mid-May 2026 onwards for anomalous session activity: logins from unexpected locations or IP ranges, session tokens reused from multiple addresses, and unusual OWA client behaviour. Check mailboxes for suspicious inbox rules (especially auto-forwarding to external addresses), unexplained sent items, and mailbox permission changes. Because the attack runs as a legitimate user, internal email that appears genuine but is out of character — particularly finance or payment requests — is a warning sign. If you find evidence of compromise, preserve logs before making changes, and if personal data may have been accessed, the ICO 72-hour breach-notification clock begins from the point you become aware.
How does this affect our Cyber Essentials certification?
Cyber Essentials v3.3 requires critical and high-severity vulnerabilities to be patched within 14 days of a fix becoming available, aligning with NCSC guidance. CVE-2026-42897 is a high-severity flaw with a patch released on 9 June 2026, so the compliant deadline for certified or certifying organisations was around 23 June 2026. If you run on-premises Exchange and had not applied the June Security Update by then, you are technically non-compliant with the patching requirement of your certification. Migrating mail to Exchange Online removes this class of problem entirely, because the platform is patched centrally by Microsoft and the update lag that breaches the 14-day window simply does not arise for hosted mailboxes.
Is migrating to Microsoft 365 disruptive? We cannot afford email downtime.
A properly managed migration is designed for zero downtime. The technique is parallel mail routing: your new Microsoft 365 tenant is provisioned, security is configured (SPF, DKIM, DMARC, MFA, conditional access), and mailboxes are migrated in batches with verification, all while your existing Exchange server continues to receive mail. Only once every mailbox is migrated and validated do we switch the MX records to route incoming mail to Microsoft 365. Users keep working throughout, and the cutover itself is typically scheduled out of hours. For a small office of 10–50 users this can be completed over one to three weekends; larger or hybrid estates are phased. Cloudswitched has run 200+ such migrations and moved 20,000+ users using this approach.
What does a Cloudswitched Microsoft 365 migration actually include?
A managed Cloud Email migration covers the full lifecycle: an initial assessment of your current mail environment and mailbox inventory; tenant provisioning and licence mapping to the right Microsoft 365 plan for each user; security configuration including SPF, DKIM, DMARC, MFA and conditional access; batch mailbox, calendar and contact migration with verification; DNS and MX cutover only after every mailbox is confirmed; mobile device re-provisioning and user guidance; and decommissioning of the old on-premises Exchange server. Because Microsoft does not back up Microsoft 365 data by default, we also recommend and can configure a dedicated Microsoft 365 backup. After migration, ongoing management covers licence optimisation, security monitoring and the Cyber Essentials v3.3 patching evidence trail — so mail becomes a managed service rather than an infrastructure liability. Migrations can run as a one-off project or within our ongoing IT support and admin programmes.

Make CVE-2026-42897 the last Exchange zero-day you ever firefight

On-premises Exchange now means active exploits, paid ESU, and the loss of automatic EEMS mitigations from July 2026. Exchange Online was never affected. Cloudswitched Cloud Email with Microsoft 365 moves your mail to a platform Microsoft secures centrally — 200+ migrations delivered, 20,000+ users moved, zero-downtime cutover, and full email security configured as standard. If you are still on legacy Exchange, this is the week to plan the move.

Talk to us about Cloud Email with Microsoft 365
Tags:Microsoft 365Cyber SecurityIT SupportCyber Essentials
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Cloud Email Solutions

Microsoft 365 email migration, management and security for your team

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

11
  • Azure Cloud

How to Secure Your Azure Environment: Best Practices

11 Mar, 2026

Read more
17
  • Cloud Networking

Meraki vs Ubiquiti: Which Cloud Networking Platform to Choose?

17 Jan, 2026

Read more
18
  • VoIP & Phone Systems

The Future of Business VoIP: AI and Emerging Trends

18 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.