We have recently seen several indicators that show that many of our customers are being targeted by password spray attacks that leverage basic authentication.
The only reason we’re turning off basic auth in Exchange Online is to protect your users and data. The evidence I see every day clearly indicates that password spray attacks are becoming more frequent.
If basic auth hasn’t yet been turned off for your tenant, or if you’ve asked for more time, you should read this.
What is a Password Spray attack?
A password spray attack is a type of brute force attack in which the attacker tries a large number of usernames with a list of common passwords against a target system to see if any will work. It’s often hard to detect as the username keeps changing; accounts don’t get locked because the account being attacked changing. Attackers also distribute their efforts over their targets and keep changing their source IP.
It’s a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works.
The most popular protocols we see attacked like this are SMTP and IMAP. POP is third on the list, but SMTP and IMAP are way out there in a league of their own.
What can you do about this?
Set up Exchange Online Authentication Policies to ensure only the accounts that you know should be using basic auth with specific protocols, can use basic auth with these protocols. Start with SMTP and IMAP and do it today!
How do you set up Authentication Policies?
Our documentation is rather good at answering this question, and there are many other docs out there written by MVPs and other community contributors. Rather than explain the actual step by step, I wanted to explain the strategy.
We’ll use IMAP as the example, and then repeat for each protocol, noting that some apps (such as Outlook) use more than one protocol. So, you might need some “combination” policies as users can only have one policy assigned:
- Use Azure AD Sign in reports to determine who is legitimately using basic auth with IMAP in your tenant.
- Create an Authentication Policy in your tenant that allows Basic Auth with IMAP. For example:
New-AuthenticationPolicy -Name "AllowIMAP" -AllowBasicAuthImap
- Create a Default Authentication Policy that blocks all basic auth use:
New-AuthenticationPolicy -Name "BlockAllBasicAuth"
- Assign the allow policy to the user accounts you identified:
Set-User -Identity Bob -AuthenticationPolicy “AllowIMAP”
- Then, set the Default Authentication to the policy that blocks everything:
Set-OrganizationConfig -DefaultAuthenticationPolicy "BlockAllBasicAuth"
And that is it.
Any attempt to use basic auth with IMAP, using any account other than those with the explicit Allow policy will fail.
Password spray attacks would be limited to those specific accounts – and you can watch them more closely, safe in the knowledge all your other accounts can’t be attacked in this manner.
Because we are not disabling SMTP Auth, and SMTP is one of the most frequently attacked protocols, you should make it a priority to set up an Authentication Policy for SMTP and limit your attack surface.
Here are some useful resources to help you along the way.
- Disable Basic authentication in Exchange Online
- New-AuthenticationPolicy (ExchangePowerShell)
- Password spray investigation
Please set up Authentication Policies immediately if you are going to continue to use basic auth, and to control who can use SMTP Auth. Don’t be the next target!
All content and images belong to their respected owners, this article is curated for informational purposes only.