Microsoft's Exchange team is warning Exchange Online users that many of its customers are being targeted by password spray attacks using its basic authentication.
The warning comes as Microsoft begins turning off Basic Authentication, or "Basic Auth", in Exchange Online tenants worldwide from October 1, 2022. Microsoft's explains here why it is deprecating Basic Auth for Exchange Online. The process will also prevent the use of passwords in apps that don't support two-step verification.
The US Cybersecurity and Infrastructure Security Agency (CISA) warned organizations in June about the upcoming move. Basic Auth doesn't support multi-factor authentication (MFA), which would prevent most password-spraying and password-guessing attacks.
Microsoft first warned organizations about the Basic Auth plan in 2019. It originally planned to switch off Basic Auth in the second half of 2021, but in February 2021 delayed this plan due to the pandemic – and eventually set a deadline for October 2022.
"The only reason we're turning off basic auth in Exchange Online is to protect your users and data. The evidence I see every day clearly indicates that password spray attacks are becoming more frequent," says Greg Taylor of Microsoft's Exchange Team.
Password spraying involves an attacker trying to crack a range of user accounts by using a list of common and weak passwords. Some of the guessed combinations work. It's also cunning because the style of attack keeps changing usernames, which means the targeted accounts constantly change too, so accounts don't get automatically locked down. Also, attackers can keep changing their source IP address to conceal that an attack is taking place.
"It's a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works," says Taylor. By far the most commonly attacked messaging protocols are SMTP and IMAP, followed by a distant-third protocol, POP.
Microsoft will gradually shut down Basic Auth by the end of 2022 and will do so by randomly selecting tenants; it will send a seven-day warning before doing so. Microsoft has already turned off SMTP AUTH for millions of tenants not using it, but has opted not to touch SMTP AUTH if the customer has it enabled in their tenant. It does, however, recommend customers disable it at the tenant level and re-enable it only for user accounts that still need it.
Taylor says customers should immediately set up Exchange Online Authentication Policies to "ensure only the accounts that you know should be using basic auth with specific protocols, can use basic auth with these protocols."
He adds that customers should start with SMTP and IMAP immediately. There are several more protocols Microsoft is disabling Basic Auth for, including MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.
The Exchange Team's blogpost provides links to documentation and third-party community expert resources. They also outline the strategy customers should use via policies to lock down Exchange Online in a way that prevents password-spraying attacks. The team notes, however, that apps like Outlook use multiple protocols, and might require a combination of policies.
"Because we are not disabling SMTP Auth, and SMTP is one of the most frequently attacked protocols, you should make it a priority to set up an Authentication Policy for SMTP and limit your attack surface," the Exchange Team notes.