Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.
Basic Authentication (aka proxy authentication) is an HTTP-based auth scheme apps use to send locally stored credentials in plain text to servers, endpoints, or online services.
This allows attackers to capture credentials via man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal the clear text credentials from apps using basic auth using various tactics, including info stealing malware and social engineering.
Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime that can’t be re-used to authenticate on other resources besides those they were issued for.
To make things even worse, enabling multi-factor authentication (MFA) is quite complicated when using basic auth, and it often isn’t used at all.
After toggling on modern auth, enabling, and enforcing MFA become a lot less complicated, allowing for better security in Exchange Online as a direct and immediate result.
“As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing,” the Exchange team said.
“We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.”
Microsoft will disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.
SMTP AUTH has already been disabled on millions of tenants that weren’t using it and Microsoft will not disable it where it’s still in use.
“To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1.” – The Exchange Team