Contents:
Exchange Online users are warned about the increasing number of password spray attacks that use Microsoft’s Exchange Basic Authentication feature.
The warning from Microsoft’s Exchange team comes as the Basic Authentication (Basic Auth), “an outdated industry standard”, is gradually being deprecated for Exchange Online, beginning October 1, 2022.
The goal is to implement multi-factor authentication (MFA), which would prevent most password-spraying and password-guessing attacks.
Microsoft first announced in 2019, that this change is planned for 2021, but it was postponed due to the pandemic.
What Are Password Spray Attacks
In a password spray attack, which is a kind of brute force attack, the attacker tests a large number of usernames and a list of popular passwords on the target system to see if any of them work. It’s often difficult to detect because the username changes and accounts aren’t locked because the account being attacked changes too. Attackers also spread their efforts across multiple targets and frequently change their source IP address.
“It’s a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works,” explains Microsoft’s Exchange Team in a blogpost.
The most commonly attacked protocols are SMTP and IMAP, POP comes next, but at a large distance.
What It Is Changing
“Microsoft will gradually shut down Basic Auth by the end of 2022 and will do so by randomly selecting tenants; it will send a seven-day warning before doing so. Microsoft has already turned off SMTP AUTH for millions of tenants not using it, but has opted not to touch SMTP AUTH if the customer has it enabled in their tenant. It does, however, recommend customers disable it at the tenant level and re-enable it only for user accounts that still need it”, according to ZDNet.
Customers are advised to start implementing the change on SMTP and IMAP as soon as possible. And there are multiple Microsoft protocols for which Basic Auth will be also disabled: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.
We actively recommend that customers adopt security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.
How To Implement the Authentication Changes
The Exchange Team’s blog provides wide documentation about how to set up your Authentication Policies. The post underlines that this strategy is created to prevent password-spraying attacks.
However, the users are alerted that some apps, like Outlook, use multiple authentication protocols, and might need some “combination” policies.
One blogpost also shows how you can implement the new Authentication Policies (using IMAP as an example):
“Use Azure AD Sign in reports to determine who is legitimately using basic auth with IMAP in your tenant.
Create an Authentication Policy in your tenant that allows Basic Auth with IMAP.”
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.