Exchange Online: Increased attacks observed after Basic-Auth end

Microsoft has largely turned off the login using Basic Auth for Exchange Online. Attackers try to break in on exceptions with password testing.


Microsoft warns that attacks are currently increasing after the originally planned end of insecure login using basic authentication in Exchange Online on October 1st of this year. The company is giving customers one last chance to renew. Cyber ​​criminals used this to increasingly carry out what Microsoft calls password spraying attacks, in which they test usernames and passwords en masse.


The Basic Auth procedure is anchored in the HTTP standard. It is in fact a plain text transmission of the login data, which is only Base64 encoded and can be decoded very easily by anyone. This is supported by Exchange Online for the POP3, IMAP and SMTP protocols, among others. Basic-Auth was the most abused vulnerability for breaking into Exchange Online, for example, which is why Microsoft wanted to turn the tap off on October 1st.

However, since there is still some incompatible software and systems that rely on Basic-Auth, Microsoft recently gave in and allowed a final extension of the shutdown period for customers. Should customers reactivate Basic-Auth, it will now be permanently deactivated in January 2023. In a post on Microsoft’s TechCommunity, the company says it’s seeing an increase in brute force attacks, in which cybercriminals use a large number of usernames and try known passwords.

Because the usernames are constantly changing, the attacks are difficult to detect. The accounts would also not be blocked due to the constant change. In addition, the attackers distributed their attacks and used different source IPs. A particular focus of attacks are SMTP and IMAP, which are attacked far more often than POP.

SEE ALSO  From now on it will be easier than ever to reinstall Windows 11 if something goes wrong

Microsoft suggests only allowing access using Basic-Auth to certain known accounts and only for the required protocols. In essence, administrators should ban the basic auth procedure for the organization and specifically activate the individual accounts that require this access. Microsoft’s post also gives an example:

New-AuthenticationPolicy -Name "AllowIMAP" -AllowBasicAuthImap
New-AuthenticationPolicy -Name "BlockAllBasicAuth"
Set-User -Identity <Nutzerkonto> -AuthenticationPolicy “AllowIMAP”
Set-OrganizationConfig -DefaultAuthenticationPolicy "BlockAllBasicAuth"

The whole thing must also be adapted and implemented for the accounts that require SMTP or POP.

From the use of Set-CASMailbox Microsoft’s specialists advise against it. Although this also blocks the logs, it only intervenes late. Authentication takes place if the password is correct, only data access is then prevented. This also reveals the error message. Instead of The IMAP server responded with an error status "2 NO LOGIN failed." the attackers may receive the message The IMAP server responded with an error status "3 BAD User is authenticated but not connected.". And it reveals that the password for the account is correct. The attackers can then use this for other purposes if necessary.