Microsoft updated the deprecation timeline for SMTP AUTH Basic Authentication in Exchange Online, clarifying milestones for customers moving to modern auth. Until December 2026, the current behavior remains. After that, SMTP AUTH Basic Authentication will be disabled by default, but administrators can still enable it. New tenants post-December 2026 will not have SMTP AUTH Basic Authentication by default, with OAuth as the supported method. Microsoft plans to announce a final removal date in late 2027. This is not the first timeline adjustment.
In a concerning incident, acting cyber chief Madhu Gottumukkala uploaded sensitive files into a public version of ChatGPT, raising alarms at the Cybersecurity and Infrastructure Security Agency (CISA). Cybersecurity sensors flagged these uploads multiple times in early August, prompting an internal review by the Department of Homeland Security to assess potential security breaches. CISA’s Director of Public Affairs stated that Gottumukkala had permission to use ChatGPT under specific controls, emphasizing that this access was limited and temporary. However, any material uploaded to the public version of ChatGPT can be accessed by OpenAI and used by other users, raising significant security concerns. Gottumukkala, who has led CISA in an acting capacity since May, has faced scrutiny over this and other security-related incidents during his tenure.
Why do we care?
Microsoft keeps moving the SMTP AUTH deadline because it can. Not because it’s right—because customers haven’t forced the issue.
Now layer that onto the CISA situation. This isn’t a junior analyst mistake. This is a senior official using a public AI system with sensitive material and relying on “permission” as a control. That’s not governance—that’s hope with paperwork. This isn’t an edge case—it’s a preview of what happens when AI adoption outpaces data control.
Put those together and you get the real risk MSPs need to see: authority without enforcement.
If you’re telling clients that AI use is fine because “it’s approved,” without enforcing where data can go or how it’s audited, you’re normalizing risk in a new domain. Leaving SMTP AUTH enabled “just in case” is the same behavior—just older and more familiar.
The consequence isn’t abstract. It’s client exposure, regulatory trouble, and reputational damage that you will be asked to explain. Vendors won’t own it. Agencies won’t either.
This matters now because the pattern is set. Security controls that are optional will be bypassed. AI tools that are convenient will be misused. And MSPs who don’t force secure defaults will end up acting as cleanup crews instead of trusted advisors.