Action Needed: Upgrade your Outlook Add-in (Microsoft is deprecating legacy tokens for Exchange Online)

30 Dec 2024

Microsoft is deprecating its legacy tokens for Exchange Online, which may impact your PhishThreat outlook add-in. And the fix is easy; make sure you have the latest version of the add-in. And if you don’t, upgrade it before Feb'2025.

Microsoft has announced the deprecation of legacy exchange tokens for M365 starting from Feb 2025. This is part of their SFI (Secure Future Initiative). They will start turning off the legacy tokens in February 2025, and they recommend publishers to migrate their Outlook add-ins to use Entra ID tokens through nested app authentication (NAA) and Microsoft Graph instead of legacy tokens. More details here: https://devblogs.microsoft.com/microsoft365dev/naa-and-deprecation-of-legacy-tokens/

The Sophos Outlook add-in allows your users to ‘report’ the PhishThreat simulated messages and helps in updating their awareness profiles. The add-in is also used to report real potential phishing and spam emails. When users report a suspicious email using the Sophos Outlook add-in, these tokens help the add-in to identify the simulated messages, forward the reported emails to the mailboxes as configured, and delete those messages.

Sophos Phish Threat’s current add-in (version 1.5.0.0) already uses Entra ID tokens through Microsoft Graph. This add-on was published in Nov 2023 (yes, more than 13 months ago!!). If you are on the latest version (version 1.5.0.0), you do not need to take any action.

If you haven’t upgraded the plug-in in the last 13 months, we recommend you to do so as soon as possible. You will have to remove the existing add-in before adding the latest version. Please note that Microsoft has announced that they will start deprecating the legacy tokens from Feb’25.

To upgrade the Phish Threat add-in,

Step 1: Remove the existing add-in: Delete an add-in

Step 2: Download the latest add-in from Sophos Central and deploy it in Microsoft: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/PhishThreat/SystemSettings/PTOutlookAddin/InstallOutlookAddinPhishThreat/index.html#xml-manifest

Saravanan Subramaniam 13 hours ago

Microsoft doesn’t show the plugin version in the M365 admin. One way of checking the plugin version is to report message from outlook web and look in the network calls as shown below.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Nicholas Brosnan 2 days ago

Hello, is there a way to tell what version you are currently using?
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel