Does your organization allow sign-ins to occur to Office 365 using basic authentication? If so, you’re at a higher risk for an attack on your identity and data, specifically by password spray attacks and credential stuffing. Password spray attacks are a broad–brush approach that attacks multiple accounts in parallel, attempting to sign in with commonly used passwords at a low enough rate to avoid lockout mechanisms. This is unlike brute force attacks, which repeatedly try to guess the password of a single account.
Once a valid credential is found, (either by password spraying or one of the innumerable password data leaks observed in recent years) the same combination of username and password is tried against numerous other services in the hopes that the password has been reused. This is known as credential stuffing. This compromises not just one account of one person, but an entire identity and all the data that is protected by that uniform password, which could include Office 365.
The vast majority of password spraying attacks occur over protocols that support Basic Authentication.
The world is too full of constant threats to rely on basic authentication tooling and outdated models for authentication. To combat this, Azure Active Directory offers modern authentication options, as well as little known tools such as Exchange Authentication Policies that will help keep you and your customers safe.
Authorization vs. Authentication
First, it’s vital to understand that authorization and authentication may look and sound similar, but are both very distinct, yet equally important, identity security concepts. Authorization is a permission from the organization for a user to access specific resources. This authorization comes from an IT administrator and should fall within your organization’s security guidelines and governance strategy.
If your business is without a governance strategy to set rules, roles and responsibilities, you can read more about the importance of that on the New Signature blog.
Authentication refers to the process by which the identity of the user is verified. The most common method used to authenticate a user is a password. Today, we also have additional factors like biometrics (thumbprints or facial recognition) PIN codes or access codes sent to separate devices. In O365, multifactor authentication requires the use of Modern Auth compatible protocols. Strong, multifactor authentication is one of the most effective ways to protect our identities and all of our business and personal data.
This concept is important for this discussion as while many organizations have enabled modern authentication and even blocked legacy authentication protocols via Conditional Access or by disabling services at the mailbox level, successful basic authentication is still possible. This is because the above-mentioned methods of restricting basic authentication are Authorization type controls– the authentication has in fact already occurred.
Using Exchange Online to Block Threats
For most businesses, Office 365 is the number one platform on which information is shared, from files and links to cloud-based documents to financial data and information relating to your customers. It’s vital for organizations to upgrade from basic authentication to modern authentication models that offer a higher level of protection. It is equally as important to ensure that basic authentication can no longer occur.
During Basic authentication for O365 a simple username and password is transmitted to Exchange Online, which proxies the request back to the authoritative identity provider. When your identity provider is Azure AD, it looks like this:
The client sends the credentials to Exchange and Exchange uses Azure Active Directory (AD) to authenticate the user.
It is only once this has occurred that authorization checks such as conditional access begin, and even if blocked by such a policy the attacker can often determine that they have the correct password. This can be immediately used to attempt access on other protocols or services in a credential stuffing attack.
Exchange Authentication Policies can terminate the connection at step 1 of the above diagram. This can drastically reduce the impact of password spraying attacks on your organization.
The Benefits of Modern Authentication
The benefits of modern authentication extend beyond simply being an elevated level of identity security for your users. It also allows for easier authentication across devices, including smart cards and mobile devices. It also stores authentication tokens meaning that your users are actually leveraging ADFS less frequently, cutting down on server overload.
How to Ensure You’re Protected
The most recent piece of related information we have had from Microsoft on this subject is that as of October 2020, Basic Authentication will be turned off in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell.
Due to the risks involved, we recommend our customers get ahead of this problem and implement Exchange Authentication Policies that block basic authentication as soon as possible. This is suggested for the interim as we approach that October date. Before implementing such a policy, examine your logs for existing legitimate Basic authentication sign-ins. These can be excluded via a separate Exchange Authentication Policy while plans for a more permanent solution are made.
To create a policy that blocks Basic authentication for all available client protocols in Exchange Online (the recommended configuration), sign into Exchange Online Powershell with an account holding appropriate permissions, and use the following syntax:
New-AuthenticationPolicy -Name "Allow Basic Auth"
This example creates an authentication policy named Allow Basic Auth.
New-AuthenticationPolicy -Name "Block Basic Auth"
This example creates an authentication policy named Block Basic Auth.
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPop
This example turns on Basic Auth for the POP protocol in the ‘Allow Basic Auth’ policy. Note- by default all basic auth is disabled in a newly created policy.
For detailed syntax and parameter information, see New-AuthenticationPolicy.
From there, you will assign the authentication policy:
Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth”
This example assigns the “Allow Basic Auth” policy to a specific user account for which you wish to allow Basic Auth.
To set the default policy:
Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth”
This example assigns the “Block Basic Auth” policy to any user not explicitly assigned an authentication policy such as “Allow Basic Auth”
As an exercise, monitor your failed sign-in logs after implementing these policies. You can expect to see a drastic drop in numbers of failed authentications. Most of these represented active password spraying attacks against your environment.
Never Stop Learning
Even though we are experts in Microsoft technologies at New Signature, we are ever-curious and always learning all we can about the fast-paced world of the cloud and Office 3655. We love to share that learning with our customers and communities as we grow and learn every day.
If you want to learn more about security measures within Exchange and the rest of the Office 365 suite of tools, join us for a free webinar all about Ensuring Successful Security. You can register for that below:
January 30 at 10:00 a.m. EST