Affected environment

CVE-2026-48579 affects Exchange Online and describes information disclosure caused by improper authorization. For operators of on-premises Exchange servers, this is not a normal patch case: the issue was remediated in the cloud service, and no local security update or Exchange Online configuration change is expected for this CVE.

That does not make the advisory irrelevant. For cloud-side fixes, tenant teams still need to know whether mailbox access, broad permissions or missing audit coverage could hide suspicious activity.

Checks to run

  1. Prove mailbox auditing: Confirm that user and admin access events are available and retained long enough for critical mailboxes.
  2. Review delegated rights: Check FullAccess, SendAs, SendOnBehalf and Exchange/Graph application permissions for owner, purpose and expiry date.
  3. Inspect unusual access: Prioritize MailboxLogon, MailItemsAccessed, Search and Export activity for privileged or sensitive mailboxes.
  4. Check transport and forwarding rules: Review new inbox rules, forwarding settings, journal rules and connector changes for unexpected destinations.
  5. Keep response evidence: Record which tenants were checked, which period was reviewed and which exceptions remain open.

Fast evidence

  • Do not schedule a local patch window for this Exchange Online vulnerability.
  • Prioritize audit and permission review for privileged mailboxes.
  • Assign an owner and expiry date to every open app or mailbox exception.

If only one action is possible immediately: prove mailbox audit coverage and delegated Exchange/Graph rights for admin, VIP and shared mailboxes.