IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Businesses urged to abandon Microsoft Exchange legacy authentication earlier than planned

Basic Auth will be turned off by Microsoft in October, but CISA wants all organisations to migrate from the vulnerable method as soon as possible

The US’ Cybersecurity and Infrastructure Security Agency (CISA) has urged all businesses and other organisations to accelerate their transition to more modern authentication methods for Microsoft Exchange Online.

The guidance issued to organisations of all types instructs how to check if Basic Authentication is used and how to switch to Modern Auth before Microsoft begins disabling the legacy authentication method in October.

Businesses should migrate to Modern Auth as soon as possible and once complete, block Basic Auth so the method cannot be exploited by other legacy applications, CISA said.

Microsoft has published extensive guidance on how to migrate to Modern Auth and the detailed instructions can be found in the security authority’s advisory.

Once the migration is complete, CISA advises to use either an Exchange Online authentication policy or Conditional Access policy in Azure Active Directory to block the use of Basic Auth across a business.

A brief history of Basic Auth

Basic Auth was the previous authentication method of Microsoft Exchange but has since been found to be insufficient in a number of areas.

Microsoft has said that Basic Auth does not make it easy for IT teams to enable cross-organisation multi-factor authentication (MFA), and in some cases is impossible.

CISA’s assessment was that it was impossible to implement MFA using Basic Auth - a technology all organisations have been advised to implement for years by security experts.

The legacy authentication method is also believed to be vulnerable to ‘spray and pray’ attacks since a user’s password is required to be sent with every authentication request, making it more easily guessable for attackers.

For the same reason, Basic Auth is also vulnerable to man-in-the-middle attacks where hackers can effectively intercept a password, especially when communicated over a network without transport layer security (TLS) protection.

Microsoft said that it would begin turning off Basic Auth for Exchange Online in September last year for users who were still using it, although the company has slowly been sunsetting the legacy authentication method for years now, across other services.

Basic Auth is still available for use on protocols such as post office protocol/internet message access protocol (POP/IMAP), exchange web services (EWS), ActiveSync, and remote procedure call over HTTP (RPC over HTTP), but will end in October.

According to CISA, 99% of password spray attacks use legacy authentication protocols and 97% of credential stuffing attacks abuse legacy authentication too.

Related Resource

Protect and preserve your data from endpoint to infrastructure

Achieve cyber resilience with help from a powerhouse partnership

Whitepaper cover with title and background circuit board imageFree Download

The security agency also said there are 921 password attacks every second - nearly doubling in frequency over the past 12 months, and Azure Active Directory accounts that disabled legacy authentication saw a 67% reduction in compromises.

The use of Basic Auth has essentially been banned among US Federal Civilian Executive Branch (FCEB) agencies since last year, according to CISA’s advisory.

A May 2021 Executive Order titled ‘Improving the Nation’s Cybersecurity’ mandated the use of MFA in such departments, and since MFA cannot be implemented with Basic Auth, according to CISA, using it for the past year has effectively been unlawful.

The guidance offered is tailored for FCEB agencies but all organisations are urged to migrate to Modern Auth before October 2022.

Microsoft Exchange’s security woes

Numerous security vulnerabilities have been detected and abused in Microsoft Exchange Servers, particularly over the previous 18 months.

Most notably, the China-linked Hafnium hacking group chained together four zero-days in March 2021 to target on-premise Exchange Servers leading to tens of thousands of compromised organisations.

Additional zero-days were later abused months later and the cumulative work from Microsoft it took to defend against the resulting attacks delayed the development of the next version of Microsoft Exchange Server by four years, it said earlier this month.

Numerous other attacks on Exchange have also been observed since the Hafnium attack, including exploits to spread Qakbot malware and misconfigure mailboxes.

Separately, It was revealed earlier this year that on-prem Exchange Servers were struggling to deliver mail due it not being able to handle ‘2022’ as a date format - a bug dubbed Y2K22.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022