Microsoft: Watch out for password spray attacks – especially you, Basic Auth

Microsoft is warning Exchange Online users about a rise in password spray attacks, urging those that have yet to disable Basic Authentication to at least set up authentication policies to protect their users and data.

In a post this week, Microsoft's Exchange Team said that enterprises still using Basic Authentication are being targeted by password spray attacks, a type of brute-force tactic in which an attacker "sprays" a targeted system with a large number of usernames and a list of common passwords to see if any of them will work.

"It's often hard to detect as the username keeps changing; accounts don't get locked because the account being attacked changing," the team wrote. "Attackers also distribute their efforts over their targets and keep changing their source IP. It's a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works."

For three years, Microsoft been weaning popular software offerings like Outlook Desktop and Outlook Mobile App off Basic Auth in favor of more secure user authentication methods. The Redmond giant told Exchange Online users that starting this month will begin disabling Basic Auth for such tools as MAPI, Offline Address Book, Exchange Web Services, and Exchange ActiveSync.

So far, millions of users have moved away from Basic Auth to Modern Auth over those three years and Microsoft has disabled it in millions of tenants, according to the company. However, even with reminders in September 2021 and in May, many are still using it and have until January 2023 before Basic Auth is turned off for all protocols.

Until then, these customers will have to face identity attacks using Basic Auth.

"The only reason we're turning off basic auth in Exchange Online is to protect your users and data," they wrote. "The evidence I see every day clearly indicates that password spray attacks are becoming more frequent. The most popular protocols we see attacked like this are SMTP and IMAP. POP is third on the list, but SMTP and IMAP are way out there in a league of their own."

To combat this, Microsoft is recommending organizations that are still using Basic Auth set up Exchange Online Authentication Policies, which will ensure that only those accounts that the organization knows should be using Basic Auth with specific protocols can. Microsoft also suggested enterprises should start with SMTP and IMAP.

• Microsoft to kill off old access rules in Exchange Online
• Microsoft: The deadline to get off Basic Auth is approaching
• Start using Modern Auth now for Exchange Online
• Two-factor auth totally locks down Office 365? You may want to check all your services...

Organizations can use Azure Active Directory sign in reports to determine who legitimately using Basic Auth with IMAP in a tenant and then create and authentication policy in the tenant that allows Basic Auth with IMAP. The process can be repeated with each protocol, some apps like Outlook use multiple protocols, which will mean creating a combination of policies.

"Any attempt to use basic auth with IMAP, using any account other than those with the explicit Allow policy will fail," they wrote. "Password spray attacks would be limited to those specific accounts – and you can watch them more closely, safe in the knowledge all your other accounts can't be attacked in this manner."

Microsoft initially expected to disable all use of Basic Auth before the end of the year, but knew that despite the warnings, there were still many that continued to use the legacy authentication method. Basic Auth involves sending credential in plain text to systems. However, it doesn't naturally support multi-factor authentication (MFA), making it a challenge for organizations that want to use both.

The software maker says Modern Auth encompasses a range of security methods, including access policies like MFA, smart cards, Open Authorization, mobile access management, and certificate-based authentication. Such tools are important as threat groups become more sophisticated in their ways of stealing credentials at a time when companies continue to migrate to the cloud, adopt remote work, and expand third-party access to corporate resources.

In August, Microsoft published a document outlining steps enterprises can take to identify and investigate spray attacks. ®