Time Running Out for Old Email Connection Protocols
I’ve heard some people doubting that Microsoft will remove basic authentication from seven Exchange Online mailbox connection protocols. The argument advanced is that customers won’t allow this to happen because removing Exchange Online basic auth connections will be too disruptive. That is, unless they’ve experienced the unique joy of being the victim of an Exchange password spray attack.
Update: The big switch-off date is now October 1, 2022. On that day, Microsoft will begin the final process of disabling Exchange Online basic auth in Microsoft 365 tenants that still use basic auth for email connections.
Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.
Disruption will certainly happen if you’re running obsolete clients like Outlook 2010 which don’t support modern authentication. Or if you use POP3 and IMAP4 to connect to fetch messages and the developers of your email client don’t pick up the new OAuth-compliant versions of these protocols. The biggest issue here is likely to be with devices that use these protocols to connect to Exchange to fetch messages as I have no idea how the device manufacturers will approach the upgrade. Other issues exist with applications built with Exchange Web Services where programmers don’t quite know how to move forward (this blog by MVP Ingo Geganwarth might help). Or if you have an old mobile email client which likes to use basic auth with ActiveSync.
Finally, there’s PowerShell… We’ll have to switch to modules which support modern authentication, like the Exchange Online Management module, and upgrade scripts to make sure that authentication still works, especially for scheduled scripts which run without human intervention.
There’s work to be done. Lots of work, but the final goal of eliminating insecure authentication methods from Microsoft 365 is worthwhile. Those who doubt this statement might consider a recent case study by the Microsoft Detection and Response Team (DART), the people who help companies when malicious actors have penetrated networks to create persistent threat.
A Case Study of a Compromised Office 365 Tenant
The case study explains that attackers obtained the password of the Office 365 administrator via a password spray attack. Multi-factor authentication (MFA) was not enabled on this account. Microsoft says that 99.9% of account compromise attacks are blocked with MFA. Attacks like password sprays, which rely on basic authentication, run into a stone wall when an account uses MFA, which is why MFA should be used by as many Office 365 accounts as possible.
Once the attackers penetrated the administrator account, all of the Microsoft 365 tenant was theirs to exploit. They used content searches to find “interesting” information in mailboxes and extracted and moved the information out of the company in preparation for something like a business email compromise attack. Poor auditing of actions like content searches and non-owner access to mailboxes enabled the attack to succeed. Eventually DART cleaned things up and concluded that
MFA should have been used to prevent the attack
succeeding on the administrator account.
Conditional Access Policies would have helped
prevent unauthorized access.
Auditing should be part of regular operations.
The only safe option is disallowing legacy
authentication altogether. Blocking basic authentication for email is a great step
forward in removing legacy authentication.
Hard Data for Account Compromises
Further insight (if needed), comes from an interesting session given at the RSA Conference 2020 called Breaking Password Dependencies: Challenges in the Final Mile at Microsoft featuring Alex Weinert (Director of Identity Security at Microsoft) and Lee Walker (Principal Architect, Microsoft IT). During this session, Microsoft said that about 1.2 million of their cloud accounts were compromised in January 2020. This is only 0.5% of the total user base, but it still points to the level of attack. In effect, an Office 365 tenant with 10,000 accounts can expect to have 50 compromised accounts every month, unless they use MFA, conditional access policies, and block legacy authentication. Although MFA alone blocks 99.9% of the compromises, but only 11% of enterprise users used MFA in January 2020.
Password Spray and Replay Attacks
Microsoft revealed that 480K of the accounts were compromised by password spray accounts (Figure 1), and 99% of password spray accounts use Exchange Online basic auth with IMAP4 and SMTP.
Figure 1: Password spray attacks against Microsoft cloud accounts in January 2020
A similar number of accounts were compromised by password replay attacks. People often use the same password for personal and work accounts, so if a password becomes known to attackers because a service is compromised, they might try to reuse that password to attack other accounts belonging to the user. Again, legacy protocols play a big role here, especially the combination of IMAP4 and SMTP. The protocols due to be disabled for basic auth on October 13, 2020 are highlighted in Figure 2. Microsoft says that a 67% reduction in compromises happens for tenants who disable legacy authentication. You can’t eliminate the possibility of attack, but you can make the task of the attacker much harder.
Figure 2: Replay attacks against Microsoft cloud attacks in January 2020
The Need to Eliminate Legacy Email Client Protocols
Looking at the account compromise rate by protocol, you clearly see the need to remove Exchange Online basic auth for email connection (Figure 3). This graph underlines why Microsoft is driving for the October 13, 2020 date (now October 2022).
Figure 3; Account compromises by protocol
The session also includes a lot of interesting and useful
information about Microsoft’s experience of blocking legacy authentication
within their own infrastructure. If you’re involved in the plan to prepare your
tenant for the changes coming in October, it’s worth listening to how Microsoft
worked through dealing with applications that depended on basic auth during
their rollout.
Time to Get Going
It’s possible that Microsoft will come under customer pressure to extend the cut-off date for Exchange Online basic auth connections. I hope they resist. Hard evidence exists that eliminating basic authentication helps enormously to increase resistance against attack. Why would anyone want to remain vulnerable?
Update April 30: Microsoft has announced support for OAuth connections with IMAP4 and SMTP AUTH. POP3 coming soon.
For more reasoned commentary about all things related to Office 365, subscribe to the Office 365 for IT Pros eBook and learn how to keep your tenant secure.
22 Replies to “Why Basic Authentication for Exchange Online is So Bad”
I wonder if mobile Outlook will still support IMAP (i guess with basic auth). I use Outlook to connect to my personal email, which is hosted on my domain. Don’t want to use Gmail/Outlook.com or else.
Tony – here’s what my Microsoft 365 message center states in MC204828:
“As previously communicated in MC191153, beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH.”
The way I read it, SMTP is one protocol that will continue to allow basic authentication. Is that accurate?
Even if they do shut it down, for multifunction devices there is a workaround. On my last job we have actually setup up an internal SMTP server using IIS, which was using certificate based auth to O365 to relay emails that devices were sending to that SMTP server.
Loading...
As one of my first hacking projects, we were asked to password spray a set of IDs, a lot of which were Office accounts. We managed to engineer AI, such that it picks only the most vulnerable, easy logins. To be fair, we did use a bit of brute force to barge ourself into the clients, but the fact that such a thing was even possible, really puts these things into question
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
I wonder if mobile Outlook will still support IMAP (i guess with basic auth). I use Outlook to connect to my personal email, which is hosted on my domain. Don’t want to use Gmail/Outlook.com or else.
I imagine that basic auth connections to other email servers will continue unimpeded. We’re only talking about connections to Exchange Online.
Tony – here’s what my Microsoft 365 message center states in MC204828:
“As previously communicated in MC191153, beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH.”
The way I read it, SMTP is one protocol that will continue to allow basic authentication. Is that accurate?
Covered here: https://www.petri.com/microsoft-plans-disable-smtp-auth-exchange-online
In a nutshell, there’s a current exemption but it will go away over time.
Even if they do shut it down, for multifunction devices there is a workaround. On my last job we have actually setup up an internal SMTP server using IIS, which was using certificate based auth to O365 to relay emails that devices were sending to that SMTP server.
As one of my first hacking projects, we were asked to password spray a set of IDs, a lot of which were Office accounts. We managed to engineer AI, such that it picks only the most vulnerable, easy logins. To be fair, we did use a bit of brute force to barge ourself into the clients, but the fact that such a thing was even possible, really puts these things into question