Businesses urged to abandon Microsoft Exchange legacy authentication earlier than planned

Digital padlock hovering over a screen
(Image credit: Bigstock)

The US’ Cybersecurity and Infrastructure Security Agency (CISA) has urged all businesses and other organisations to accelerate their transition to more modern authentication methods for Microsoft Exchange Online.

The guidance issued to organisations of all types instructs how to check if Basic Authentication is used and how to switch to Modern Auth before Microsoft begins disabling the legacy authentication method in October.

Businesses should migrate to Modern Auth as soon as possible and once complete, block Basic Auth so the method cannot be exploited by other legacy applications, CISA said.

Microsoft has published extensive guidance on how to migrate to Modern Auth and the detailed instructions can be found in the security authority’s advisory.

Once the migration is complete, CISA advises to use either an Exchange Online authentication policy or Conditional Access policy in Azure Active Directory to block the use of Basic Auth across a business.

A brief history of Basic Auth

Basic Auth was the previous authentication method of Microsoft Exchange but has since been found to be insufficient in a number of areas.

Microsoft has said that Basic Auth does not make it easy for IT teams to enable cross-organisation multi-factor authentication (MFA), and in some cases is impossible.

CISA’s assessment was that it was impossible to implement MFA using Basic Auth - a technology all organisations have been advised to implement for years by security experts.

The legacy authentication method is also believed to be vulnerable to ‘spray and pray’ attacks since a user’s password is required to be sent with every authentication request, making it more easily guessable for attackers.

For the same reason, Basic Auth is also vulnerable to man-in-the-middle attacks where hackers can effectively intercept a password, especially when communicated over a network without transport layer security (TLS) protection.

Microsoft said that it would begin turning off Basic Auth for Exchange Online in September last year for users who were still using it, although the company has slowly been sunsetting the legacy authentication method for years now, across other services.

Basic Auth is still available for use on protocols such as post office protocol/internet message access protocol (POP/IMAP), exchange web services (EWS), ActiveSync, and remote procedure call over HTTP (RPC over HTTP), but will end in October.

According to CISA, 99% of password spray attacks use legacy authentication protocols and 97% of credential stuffing attacks abuse legacy authentication too.

RELATED RESOURCE

Protect and preserve your data from endpoint to infrastructure

Achieve cyber resilience with help from a powerhouse partnership

FREE DOWNLOAD

The security agency also said there are 921 password attacks every second - nearly doubling in frequency over the past 12 months, and Azure Active Directory accounts that disabled legacy authentication saw a 67% reduction in compromises.

The use of Basic Auth has essentially been banned among US Federal Civilian Executive Branch (FCEB) agencies since last year, according to CISA’s advisory.

A May 2021 Executive Order titled ‘Improving the Nation’s Cybersecurity’ mandated the use of MFA in such departments, and since MFA cannot be implemented with Basic Auth, according to CISA, using it for the past year has effectively been unlawful.

The guidance offered is tailored for FCEB agencies but all organisations are urged to migrate to Modern Auth before October 2022.

Microsoft Exchange’s security woes

Numerous security vulnerabilities have been detected and abused in Microsoft Exchange Servers, particularly over the previous 18 months.

Most notably, the China-linked Hafnium hacking group chained together four zero-days in March 2021 to target on-premise Exchange Servers leading to tens of thousands of compromised organisations.

Additional zero-days were later abused months later and the cumulative work from Microsoft it took to defend against the resulting attacks delayed the development of the next version of Microsoft Exchange Server by four years, it said earlier this month.

Numerous other attacks on Exchange have also been observed since the Hafnium attack, including exploits to spread Qakbot malware and misconfigure mailboxes.

Separately, It was revealed earlier this year that on-prem Exchange Servers were struggling to deliver mail due it not being able to handle ‘2022’ as a date format - a bug dubbed Y2K22.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.