Microsoft Warns About Spike in Password Spray Attacks Targeting Exchange Online

Datacenter networking servers

Microsoft has released an advisory to warn Exchange Online users about increasing password spray attacks. The company has recommended enterprise customers to set up authentication policies to protect users and sensitive information in their organizations.

Microsoft started disabling Basic Authentication support for Exchange Online customers on October 1, 2022. The legacy authentication method is being removed for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), IMAP, POP, and Remote PowerShell protocols.

However, this change doesn’t affect SMTP Authentication, allowing customers to continue using multi-function devices, scripts, and programs for sending emails via Exchange Online. Microsoft believes that the deprecation of Basic Authentication should prevent password spray attacks that commonly target popular protocols.

“A password spray attack is a type of brute force attack in which the attacker tries a large number of usernames with a list of common passwords against a target system to see if any will work. It’s often hard to detect as the username keeps changing; accounts don’t get locked because the account being attacked changing,” the Exchange Online team explained.

Microsoft plans to gradually turn off Basic Authentication for all tenants by the end of this year. The company is recommending customers to switch to Modern Authentication (OAuth 2.0) as soon as possible. Modern Authentication provides access to various security tools like smart cards, mobile access management, and certificate-based authentication.

How to use Authentication Policies to block password spray attacks

Microsoft is urging customers that have yet to disable Basic Authentication should configure Exchange Online Authentication policies. These policies will ensure that Basic Authentication should be enabled for select accounts with specific protocols (such as SMTP and IMAP).

For instance, IT admins can use Azure AD sign-in reports to find accounts that use Basic Authentication with IMAP. Once tracked, create an authentication policy to let employees use Basic Authentication with the same protocol. It is important to note that some applications (such as Outlook) use multiple protocols, and administrators will need to create a combination of policies.

Microsoft notes that this technique will help IT admins to focus on a limited set of accounts and block sophisticated credential stealing attempts. “Because we are not disabling SMTP Auth, and SMTP is one of the most frequently attacked protocols, you should make it a priority to set up an Authentication Policy for SMTP and limit your attack surface,” Microsoft added.