Microsoft warns Exchange Online basic auth will be disabled

By Sergiu Gatlan, Bleeping Computer

Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.

This reminder comes after the company's September announcement and after seeing that there are still lots of customers who haven't yet moved their clients and apps to Modern Authentication.

Basic Authentication (aka proxy authentication) is an HTTP-based auth scheme apps use to send locally stored credentials in plain text to servers, endpoints, or online services.

This allows attackers to capture credentials via man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal the clear text credentials from apps using basic auth using various tactics, including info stealing malware and social engineering.

Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime that can't be re-used to authenticate on other resources besides those they were issued for.

To make things even worse, enabling multi-factor authentication (MFA) is quite complicated when using basic auth, and it often isn't used at all.

After toggling on modern auth, enabling and enforcing MFA become a lot less complicated, allowing for better security in Exchange Online as a direct and immediate result.

"As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing," the Exchange team said.

"We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack."

Microsoft will disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.

SMTP AUTH has already been disabled on millions of tenants that weren't using it and Microsoft will not disable it where it's still in use.


Comments

Popular posts from this blog

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Nissan North America data breach impacts over 53,000 employees

Why Your VPN May Not Be As Secure As It Claims