Beginning October 2022, Microsoft started disabling basic authentication protocols (EAS, POP, IMAP, RPS, EWS, OAB, Autodiscover and Outlook) in randomly choosen Microsoft 365 tenants. The only exception is the “Authenticated SMTP” protocol. If Microsoft detects that this protocol is in us in a Microsoft 365 tenant, this protocol will remain enabled. The end goal is to have the basic authentication protocols early-January 2023 disabled on every Microsoft 365 tenant.
The reason for disabling these protocols is because they do not support Multifactor Authentication (MFA) and are therefore easily to abuse by cybercriminals, for example easy to perform a Password Spraying attacks. In particular, we have seen that the IMAP protocol is very often abused for password Spraying attacks.
The only basic authentication protocol for which support remains is the AUTH SMTP protocol. This moved the problem of Password Spraying from the IMAP protocol to the SMTP AUTH protocol.
Mitigating this threat by creating a Conditional Access Policy to block SMTP AUTH for user accounts that do not use this protocol is not enough to protect against these attacks. After all, a Conditional Access Policy only applies on to successful sign-ins. It wil not block any sign-in attempt with an incorrent password. To solve this challenge, Authentication Policies can be used to configure which user accounts are allowed to access SMTP AUTH. For the remaining user accounts, this protocol is disabled, significantly reducing the attack landscape and preventing the execution of a Password Spraying attack on these user accounts.
Conditional Access Policies
I already hear you thinking, “Then we’ll implement a Conditional Access Policy for blocking SMTP AUTH for user accounts that don’t need it.” Conditional Access Policies only apply on successful sign-in and not on failed sign-in attempts. So, this will not mitigate this threat.
Authentication Policies are configured through the Exchange Online PowerShell and apply only to the Exchange Online environment. These policies have only one function; Allow or block specific basic authentication protocols. My recommendation is to keep your setup of Authentication Policies straightforward. This is also easier now than before because Microsoft has disabled basic authentication policies. Make sure you only have two policies:
- BlockBasicAuth (tenant wide policy, applies for every user account)
- AllowSmtpAuth (user specific policy)
To configure the Authentication Policies in the right way, we follow the steps below:
- Check whether SMTP AUTH is being used.
- Via Azure Active Directory
- Via Microsoft Sentinel (or Log Analytics Workspace)
- Configuring the Authentication Policies
- Assign the tenant wide policy
BlockAllBasicAuthas tenant default.
- Assign the
AllowSmtpAuthpolicy to specific user accounts.
Check whether SMTP AUTH is being used
Via Azure Active Directory
- Log in at https://entra.microsoft.com.
- Navigate to
Azure Active Directory–>
- Configure the filters as below:
Date: 1 month (or 7 days if 1 month is not available)
Client app: SMTP
User sign-ins (interactive) and
User sign-ins (non-interactive) tabs, analyze whether SMTP AUTH is in use. Optionally, this summary can be exported to CSV for further analysis.
Check if SMTP AUTH is being used through Azure AD
Via Microsoft Sentinel (or Log Analytics Workspace)
Navigate to Microsoft Sentinel or to the Log Analytics Workspace and use the following KQL query.
1 2 3 4 5 let timeframe = 31d; SigninLogs | where TimeGenerated > ago(31d) | where ClientAppUsed == "Authenticated SMTP" | project TimeGenerated, UserPrincipalName, ResultDescription, ClientAppUsed, IPAddress
To get a distinct view of the user accounts which are using SMTP AUTH, the following query can be used.
1 2 3 4 5 6 let timeframe = 31d; SigninLogs | where TimeGenerated > ago(31d) | where ClientAppUsed == "Authenticated SMTP" | project TimeGenerated, UserPrincipalName, ResultDescription, ClientAppUsed, IPAddress | distinct UserPrincipalName
Configuring Authentication Policies
If no user account uses SMTP AUTH, then it is sufficient to create the
BlockAllBasicAuthpolicy and configure it as the tenant default via the
- Create a connection with the Exchange Online tenant.
- Create the Authentication policy
AllowAuthSmtpfor allowing AUTH SMTP.
1 New-AuthenticationPolicy -Name AllowAuthSmtp -AllowBasicAuthSmtp
- Create the second Authentication Policy
1 New-AuthenticationPolicy -Name BlockAllBasicAuth
- Configure the
BlockAllBasicAuthas the organization’s default Authentication Policy.
1 Set-OrganizationConfig -DefaultAuthenticationPolicy BlockAllBasicAuth
- If there are user accounts that need SMTP AUTH, you can assign the
AllowAuthSmtppolicy to those user accounts with the cmdlet below.
1 Set-User <username> -AuthenticationPolicy AllowAuthSmtp -Confirm:$false
That’s all! :-)
With these actions, the attack surface for performing Password Spraying attacks via the SMTP AUTH protocol has been significantly reduced.