Blog Post

Exchange Team Blog
4 MIN READ

Use Authentication Policies to Fight Password Spray Attacks

The_Exchange_Team's avatar
Oct 03, 2022

We have recently seen several indicators that show that many of our customers are being targeted by password spray attacks that leverage basic authentication.

The only reason we’re turning off basic auth in Exchange Online is to protect your users and data. The evidence I see every day clearly indicates that password spray attacks are becoming more frequent.

If basic auth hasn’t yet been turned off for your tenant, or if you’ve asked for more time, you should read this.

What is a Password Spray attack?

A password spray attack is a type of brute force attack in which the attacker tries a large number of usernames with a list of common passwords against a target system to see if any will work. It’s often hard to detect as the username keeps changing; accounts don’t get locked because the account being attacked keeps changing. Attackers also distribute their efforts over their targets and keep changing their source IP.

It's a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works.

The most popular protocols we see attacked like this are SMTP and IMAP. POP is third on the list, but SMTP and IMAP are way out there in a league of their own.

What can you do about this?

Set up Exchange Online Authentication Policies to ensure only the accounts that you know should be using basic auth with specific protocols, can use basic auth with these protocols. Start with SMTP and IMAP and do it today!

How do you set up Authentication Policies?

Our documentation is rather good at answering this question, and there are many other docs out there written by MVPs and other community contributors. Rather than explain the actual step by step, I wanted to explain the strategy.

We’ll use IMAP as the example, and then repeat for each protocol, noting that some apps (such as Outlook) use more than one protocol. So, you might need some “combination” policies as users can only have one policy assigned:

  • Use Azure AD Sign in reports to determine who is legitimately using basic auth with IMAP in your tenant.
  • Create an Authentication Policy in your tenant that allows Basic Auth with IMAP. For example:

 

New-AuthenticationPolicy -Name "AllowIMAP" -AllowBasicAuthImap

 

  • Create a Default Authentication Policy that blocks all basic auth use:

 

New-AuthenticationPolicy -Name "BlockAllBasicAuth"

 

  • Assign the allow policy to the user accounts you identified:

 

Set-User -Identity Bob -AuthenticationPolicy “AllowIMAP”

 

  • Then, set the Default Authentication to the policy that blocks everything:

 

Set-OrganizationConfig -DefaultAuthenticationPolicy "BlockAllBasicAuth"

 

And that is it.

Any attempt to use basic auth with IMAP, using any account other than those with the explicit Allow policy will fail.

Password spray attacks would be limited to those specific accounts – and you can watch them more closely, safe in the knowledge all your other accounts can’t be attacked in this manner.

Because we are not disabling SMTP Auth, and SMTP is one of the most frequently attacked protocols, you should make it a priority to set up an Authentication Policy for SMTP and limit your attack surface.

Bonus: Can we use Set-CASMailbox instead of Authentication Policies?

We see many customers using Set-CASMailbox to block protocols thinking that this will block basic auth too. But it won’t, and let’s explain why.

To start, CASMailbox settings blocks the use of a protocol entirely – basic auth as well as OAuth. So if you wanted to use OAuth with IMAP for example, CASMailbox would prevent it.

But more importantly CASMailbox settings block at the very final stage of the client’s journey to get to mailbox data. The user has to authenticate, and pass through Azure Conditional Access in order to even be evaluated for their per-protocol, CASMailbox setting. If at that stage they are blocked, they can’t access the data; but the response to the client tells a different story – a story that those who password spray like to read.

Take IMAP for example. If you block IMAP/Basic with an Authentication Policy (or we block it permanently) the client app gets this:

The IMAP server responded with an error status "2 NO LOGIN failed.".

However, if you block access with Set-CASMailbox, the client app gets this:

The IMAP server responded with an error status "3 BAD User is authenticated but not connected.".

That’s very revealing. The second message essentially is saying ‘you got the password right, but you can’t access the data’. And that, is a successful password harvested.

We’re not saying Set-CASMailbox doesn’t work or shouldn’t be used ever. We’re saying it shouldn’t be used thinking it will block authentication. It won’t. It blocks the protocol at the mailbox, nothing more.

Useful resources

Here are some useful resources to help you along the way.

Summary

Please set up Authentication Policies immediately if you are going to continue to use basic auth, and to control who can use SMTP Auth. Don’t be the next target!

Greg Taylor

Updated Oct 05, 2022
Version 4.0
  • GreigMitchell - glad you found it helpful. 

     

    SMTP is more complex, I agree. The first key to figuring this out is understanding that the Organization-wide switch (SmtpClientAuthenticationDisabled) is overridden by any per-user setting. So, if you disable it at the tenant level, but enable it on a per-user basis using Set-CASMailbox, and the user will be able to send mail. Now that switch/control allows the user of basic and OAuth. Both auth types are either on, or both off.  

     

    Then there's the auth piece. Auth Policies only affect the user or apps ability to use basic. There is no switch for OAuth. 

     

    So, if you want a single account to use only OAuth, you would set the Tenant Wide setting to True, then use Set-CASMailox on the single user account and set the value there to False. Now that one user can submit mail via SMTP. 

     

    Then create an auth policy (or use the org default) to block basic auth for SMTP. Now no-one can send mail via SMTP and use basic. But that one account can use OAuth to send mail. 

     

    Personally I think whichever person decided to set the PowerShell parameter up so it's a negative (My brain can't handle blocking it means setting it to True) should be punished, but it's what it is. 

  • "So set-organizationconfig -defaultauthenticationpolicy “block basic auth” is still valid today? Asking because MS disabled basic auth in oct 2022. If true, only smtp auth is still enabled and getting misused"

     

    It's only relevant for SMTP Auth now, you are correct. All other protocols are blocked regardless of the setting. 

  • GreigMitchell's avatar
    GreigMitchell
    Copper Contributor

    Hi Greg, 

     

    Great article with some very good information. 

     

    What is the recommended guidance regarding enabling or disabling SMTP Client Auth Tenant-wide using Set-TransportConfig? On Tenants created after January 2020 this setting is set to True (Disabled) which means SMTP Auth needs to be set on a per-mailbox basis using Set-CASMailbox. 

     

    If SMTP Auth is disabled Tenant-wide, then enabling it via Authentication Policies for certain mailboxes doesn't have any affect as it must first be enabled tenant-wide using Set-TransportConfig. 

     

    I have found that leaving SMTP Auth enabled on the tenant then controlling its use via Authentication Policies seems to offer the most control. Also, if there are any Conditional Access policies in place to block legacy auth then mailboxes must be excluded from this if SMTP Auth is required to be used. 

  • J_Tsai's avatar
    J_Tsai
    Copper Contributor

    What options do I have to protect Exchange 2019 endpoints (like for autodiscover, activesync and EWS) from password spray attacks?

    My firm’s mailboxes are still all on-prem in Exchange 2019 servers. Our exchange endpoints are block by firewall from public internet, and only allowed access to O365 IP.

    Currently we still have some activesync native iOS/android mail app users using basic auth to authenticate, activesync connection is proxied via MobileIron.

    We want to slowly convert those users to modern auth, but don’t see any way to do it except exposing our autodiscover/activesync endpoints out to the public first with both Basic and modern auth enabled.

    We would like to protect those endpoints externally from basic auth/password spray attacks – that causes our user AD accounts to be locked.  Once all the native iOS/Android mail clients are converted, we will then implement Authentication Policy to block basic.

     

  • J_Tsai - not easy - but you could get clever with Auth Policy assignments, editing/moving them as you try to migrate users. 

     

    I'd also suggest reviewing your account lockout policies, there's a lot of differing opinions on that these days. 

  • AlpTom's avatar
    AlpTom
    Copper Contributor

    It seems that "Modern authetincation" setting in Microsoft 365 Admin center creates authentication policy and sets it as default in organization config.

  • nseh17's avatar
    nseh17
    Copper Contributor

    super article.. exactly what I was looking

     

    So set-organizationconfig -defaultauthenticationpolicy “block basic auth” is still valid today? Asking because MS disabled basic auth in oct 2022. If true, only smtp auth is still enabled and getting misused

     

    Many times we see brute force type condition where a particular user is targeted or multiple users and accounts locked out. tenants typically have all things enabled including mfa, ca, legacy auth disabled etc. but still it is annoying that accounts are locked out every 10 mins

     

    mfa is a good thing, CA controls other sides well with a caveat that it is enforced post First level authentication; MS says that conditional access isn't intended to be an organization's first line of defense for scenarios like denial-of-service attacks, but it can use signals from these events to determine access

    So then organization authentication policy.. biggest advantage of this is when set, auth attempts are stopped at first level, meaning pre authentication before EXO sends traffic to Azure AD or federated authority like ADFS or third party service OKTA. And you can guess now that brute force or password spray attacks won't reach the IdP (which might trigger account lock-outs due to incorrect login attempts)

     

    Conditional Access will not stop a password spray but Authentication Policies stop pre-authentication requests, meaning a password spray using legacy authentication for a blocked policy will fail without the attacker receiving any indication that a password is good or bad.

     

    thanks

     

  • adampra86's avatar
    adampra86
    Copper Contributor

    Greg Taylor - EXCHANGE awesome post!

    Its been a while, and as we know MSFT had blocked basic auth for all protocols https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication#messaging-protocols-that-support-legacy-authentication except SMTP AUTH. Now as reading here https://redcanary.com/blog/bav2ropc/ that Microsoft is silently ‘upgrading’ basic auth to OAuth 2.0 ROPC. Now if that is true, and nothing has changed in the meantime (and please correct my if I’m wrong on this one) a user eligible for SMTP AUTH would still be prone to password spraying attacks, HOWEVER if he had MFA configured, or conditional access rules at least on Office 365 Exchange Online that would require second factor, it would deny the authentication even if the adversary would successfully spray the victims password, because the ROPC flow does not support MFA, Conditional Access as outlined here https://learn.microsoft.com/en-us/entra/identity-platform/msal-authentication-flows#constraints-for-ropc  

    Also, I have a mailbox that has the per-mailbox setting disabled (SMTP AUTH). When trying to authenticate against it using some Python code using smtplib I’m getting ‘Authentication unsuccessful. SmtpClientAuthentication is disabled for the Mailbox’ and I get this regardless if I use the correct, or incorrect password. So could it by that for SMTP specifically the CASMailbox setting is just fine ? Where’s the same attempt for a mailbox that has SMTP AUTH enabled I get ‘Authentication unsuccessful, account locked’.

     

    Any comments on this please?