Why Basic Authentication for Exchange Online is So Bad

Time Running Out for Old Email Connection Protocols

I’ve heard some people doubting that Microsoft will remove basic authentication from seven Exchange Online mailbox connection protocols. The argument advanced is that customers won’t allow this to happen because removing Exchange Online basic auth connections will be too disruptive. That is, unless they’ve experienced the unique joy of being the victim of an Exchange password spray attack.

Update: The big switch-off date is now October 1, 2022. On that day, Microsoft will begin the final process of disabling Exchange Online basic auth in Microsoft 365 tenants that still use basic auth for email connections.

Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.

Disruption will certainly happen if you’re running obsolete clients like Outlook 2010 which don’t support modern authentication. Or if you use POP3 and IMAP4 to connect to fetch messages and the developers of your email client don’t pick up the new OAuth-compliant versions of these protocols. The biggest issue here is likely to be with devices that use these protocols to connect to Exchange to fetch messages as I have no idea how the device manufacturers will approach the upgrade. Other issues exist with applications built with Exchange Web Services where programmers don’t quite know how to move forward (this blog by MVP Ingo Geganwarth might help). Or if you have an old mobile email client which likes to use basic auth with ActiveSync.

Finally, there’s PowerShell… We’ll have to switch to modules which support modern authentication, like the Exchange Online Management module, and upgrade scripts to make sure that authentication still works, especially for scheduled scripts which run without human intervention.

There’s work to be done. Lots of work, but the final goal of eliminating insecure authentication methods from Microsoft 365 is worthwhile. Those who doubt this statement might consider a recent case study by the Microsoft Detection and Response Team (DART), the people who help companies when malicious actors have penetrated networks to create persistent threat.

A Case Study of a Compromised Office 365 Tenant

The case study explains that attackers obtained the password of the Office 365 administrator via a password spray attack. Multi-factor authentication (MFA) was not enabled on this account. Microsoft says that 99.9% of account compromise attacks are blocked with MFA. Attacks like password sprays, which rely on basic authentication, run into a stone wall when an account uses MFA, which is why MFA should be used by as many Office 365 accounts as possible.

Once the attackers penetrated the administrator account, all of the Microsoft 365 tenant was theirs to exploit. They used content searches to find “interesting” information in mailboxes and extracted and moved the information out of the company in preparation for something like a business email compromise attack. Poor auditing of actions like content searches and non-owner access to mailboxes enabled the attack to succeed. Eventually DART cleaned things up and concluded that

  • MFA should have been used to prevent the attack succeeding on the administrator account.
  • Conditional Access Policies would have helped prevent unauthorized access.
  • Auditing should be part of regular operations.
  • The only safe option is disallowing legacy authentication altogether. Blocking basic authentication for email is a great step forward in removing legacy authentication.

Hard Data for Account Compromises

Further insight (if needed), comes from an interesting session given at the RSA Conference 2020 called Breaking Password Dependencies: Challenges in the Final Mile at Microsoft featuring Alex Weinert (Director of Identity Security at Microsoft) and Lee Walker (Principal Architect, Microsoft IT). During this session, Microsoft said that about 1.2 million of their cloud accounts were compromised in January 2020. This is only 0.5% of the total user base, but it still points to the level of attack. In effect, an Office 365 tenant with 10,000 accounts can expect to have 50 compromised accounts every month, unless they use MFA, conditional access policies, and block legacy authentication. Although MFA alone blocks 99.9% of the compromises, but only 11% of enterprise users used MFA in January 2020.

Password Spray and Replay Attacks

Microsoft revealed that 480K of the accounts were compromised by password spray accounts (Figure 1), and 99% of password spray accounts use Exchange Online basic auth with IMAP4 and SMTP.

Password spray attacks against Microsoft cloud accounts in January 2020

Exchange password spray
Figure 1: Password spray attacks against Microsoft cloud accounts in January 2020

A similar number of accounts were compromised by password replay attacks. People often use the same password for personal and work accounts, so if a password becomes known to attackers because a service is compromised, they might try to reuse that password to attack other accounts belonging to the user. Again, legacy protocols play a big role here, especially the combination of IMAP4 and SMTP. The protocols due to be disabled for basic auth on October 13, 2020 are highlighted in Figure 2. Microsoft says that a 67% reduction in compromises happens for tenants who disable legacy authentication. You can’t eliminate the possibility of attack, but you can make the task of the attacker much harder.

Replay attacks against Microsoft cloud attacks in January 2020

Exchange Online basic auth
Figure 2: Replay attacks against Microsoft cloud attacks in January 2020

The Need to Eliminate Legacy Email Client Protocols

Looking at the account compromise rate by protocol, you clearly see the need to remove Exchange Online basic auth for email connection (Figure 3). This graph underlines why Microsoft is driving for the October 13, 2020 date (now October 2022).

Account compromises by protocol
Figure 3; Account compromises by protocol

The session also includes a lot of interesting and useful information about Microsoft’s experience of blocking legacy authentication within their own infrastructure. If you’re involved in the plan to prepare your tenant for the changes coming in October, it’s worth listening to how Microsoft worked through dealing with applications that depended on basic auth during their rollout.

Time to Get Going

It’s possible that Microsoft will come under customer pressure to extend the cut-off date for Exchange Online basic auth connections. I hope they resist. Hard evidence exists that eliminating basic authentication helps enormously to increase resistance against attack. Why would anyone want to remain vulnerable?

Update April 30: Microsoft has announced support for OAuth connections with IMAP4 and SMTP AUTH. POP3 coming soon.

For more reasoned commentary about all things related to Office 365, subscribe to the Office 365 for IT Pros eBook and learn how to keep your tenant secure.

22 Replies to “Why Basic Authentication for Exchange Online is So Bad”

  1. I wonder if mobile Outlook will still support IMAP (i guess with basic auth). I use Outlook to connect to my personal email, which is hosted on my domain. Don’t want to use Gmail/Outlook.com or else.

    1. I imagine that basic auth connections to other email servers will continue unimpeded. We’re only talking about connections to Exchange Online.

  2. Tony – here’s what my Microsoft 365 message center states in MC204828:

    “As previously communicated in MC191153, beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH.”

    The way I read it, SMTP is one protocol that will continue to allow basic authentication. Is that accurate?

      1. Even if they do shut it down, for multifunction devices there is a workaround. On my last job we have actually setup up an internal SMTP server using IIS, which was using certificate based auth to O365 to relay emails that devices were sending to that SMTP server.

  3. As one of my first hacking projects, we were asked to password spray a set of IDs, a lot of which were Office accounts. We managed to engineer AI, such that it picks only the most vulnerable, easy logins. To be fair, we did use a bit of brute force to barge ourself into the clients, but the fact that such a thing was even possible, really puts these things into question

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.