The ongoing evolution of Microsoft’s software services often presents a dual-edged sword; while new features and updates are beneficial, they can simultaneously usher in unexpected issues. Recent reports have delineated substantial CPU usage spikes in the classic Outlook client, the disabling of ActiveX controls in Microsoft 365, and impending end-of-support notifications for both Exchange Server 2016 and 2019. Each of these developments carries implications for organizations that depend on Microsoft’s ecosystem for email communication and application functionality. This blog post examines these issues, their technical aspects, and the recommendations provided by Microsoft, underlining the need for proactive measures.

CPU Usage Spikes in Microsoft Outlook

Recently, Microsoft acknowledged significant CPU spikes when users type messages in its classic Outlook email client. This anomaly surfaced following numerous reports primarily from users utilizing Outlook versions 2406 Build 17726.20126 and later. Users observed CPU utilization soaring between 30% to 50%, particularly during typing sessions, leading to degraded performance.

Recommended Workarounds

As Microsoft’s engineers continue investigating the core issue, they advise users experiencing CPU spikes to transition to the Semi-Annual Channel (SAC) to mitigate the impact. This can be accomplished by modifying the Windows Registry, which allows users to manage update channels effectively. Affected IT admins can also deploy Group Policy settings, leveraging tools like the Office Deployment Tool, Microsoft Endpoint Configuration Manager, or Microsoft Intune for mass deployment.

Additional Context

Adding context, performance issues tied to updates are not uncommon in software ecosystems. A retrospective glance at incident reports indicates that such issues often involve compatibility problems with add-ons and built-in features. Furthermore, Microsoft’s proactive identification of issues highlights their responsiveness to user feedback, fostering a collaborative atmosphere.

ActiveX Controls Blocked by Default in Microsoft 365

In a significant shift aimed at improving security, Microsoft is disabling ActiveX controls by default in its Microsoft 365 and Office 2024 applications. ActiveX, a legacy platform over two decades old, has long been known for its susceptibility to zero-day vulnerabilities and various attack vectors, notably by threat actors utilizing it as a means to install malware within enterprise environments.

Security Implications and User Guidance

The enforcement of this policy, which will block ActiveX without user warnings, is part of Microsoft’s ongoing strategy to eliminate outdated features that pose security risks. Users will encounter notifications if they attempt to open documents containing ActiveX controls, emphasizing the importance of exercising caution with any unexpected file attachments.

For those requiring ActiveX functionalities for critical business operations, Microsoft provides a method to re-enable ActiveX through the Trust Center settings. However, it heavily encourages organizations to keep these controls disabled unless absolutely necessary, aligning with the principle of least privilege to bolster cybersecurity postures.

End of Support for Microsoft Exchange 2016 and 2019

As of October 14, 2025, Microsoft Exchange 2016 and 2019 will reach end-of-support status. The discontinuation of security updates correlates directly to heightened risks from unpatched vulnerabilities, leaving organizations vulnerable to potential attacks.

Migration Recommendations

Microsoft encourages admins to consider migrating to Exchange Server Subscription Edition (SE) or to Exchange Online, offering pathways for organizations to transition away from legacy systems while enhancing security and operational efficiency.

In-place and Legacy Upgrade Options:

1. In-place upgrades: For Exchange 2019 installations looking to transition to Exchange SE.
2. Legacy upgrades: For Exchange 2016 installations, including a side-by-side upgrade to Exchange 2019 followed by an in-place upgrade to Exchange SE.

The overarching guidance emphasizes the urgent need for organizations to assess their current Exchange deployments and migrate accordingly to avoid operating in a security-averse environment post-end-of-support.

Additional Considerations for Cybersecurity Resilience

Increasing Threat Landscape

The decision to disable ActiveX controls and the warnings surrounding Exchange’s end of support reflect a broader security landscape fraught with persistent threats. Cybercriminals continuously exploit legacy software vulnerabilities, and Microsoft’s modifications serve as a blanket effort to mitigate potential breaches.

Utilizing Security Tools

Organizations should consider employing various additional security measures, such as leveraging Microsoft’s Advanced Threat Protection (ATP) services, which offer intelligent detection and prevention capabilities tailored to Office applications.

Conclusion

As these critical changes in Microsoft’s software ecosystem unfold, IT professionals and cybersecurity teams must remain vigilant. Monitoring developments, responding promptly to performance issues, and adhering to recommended best practices will be essential to safeguarding corporate environments against evolving threats. By strategically navigating these updates, organizations can better fortify their defenses and maintain operational integrity in an increasingly complex cybersecurity landscape.