Microsoft disables Basic authentication in Exchange Online to fight password spray attacks

Microsoft has disabled Basic authentication in Exchange Online tenants to help fight against password spray attacks. Attackers are stepping up attacks in anticipation, Microsoft warns.

A password spray attack is when an attacker attempts a larger number of usernames and common passwords to brute force victim’s system to find credentials that work. Often times, hackers will also distribute scanning of their targets and changing their source IPs.

Microsoft has long warned of their plans to disable Basic authentication in Exchange Online.

In early 2021, Microsoft began to disable Basic authentication for existing tenants where no usage was reported.

In September 2021, Microsoft announced the company would begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online starting on October 1, 2022.

Microsoft added justification for the move in a more recent blog post on October 3, 2022.

“This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication,” Microsoft explained.

The Microsoft Exchange Team is observing more recent, frequent password spray attacks, likely in anticipation of Microsoft disabling Basic authentication.

“We have recently seen several indicators that show that many of our customers are being targeted by password spray attacks that leverage basic authentication,” Microsoft added.

Moreover, attackers are most often targeting SMTP and IMAP protocols, with POP as third on the list.

As a result, Microsoft recommends customers setup Exchange Online Authentication Policies to ensure only accounts technically required to use basic authentication with a specific protocol are specified.

Finally, Microsoft provided additional guidance to customers who may need additional time to transition off of Basic authentication, such as one-time re-enablement, how to avoid disruption, and diagnostic tips.

Microsoft plans to permanently turn off Basic authentication for all protocols starting on January, 2023.

Related Articles