We have recently seen several indicators that show that many of our customers are being targeted by password spray attacks that leverage basic authentication.
The only reason we’re turning off basi...
Updated Oct 05, 2022
Version 4.0
Blog Post
super article.. exactly what I was looking
So set-organizationconfig -defaultauthenticationpolicy “block basic auth” is still valid today? Asking because MS disabled basic auth in oct 2022. If true, only smtp auth is still enabled and getting misused
Many times we see brute force type condition where a particular user is targeted or multiple users and accounts locked out. tenants typically have all things enabled including mfa, ca, legacy auth disabled etc. but still it is annoying that accounts are locked out every 10 mins
mfa is a good thing, CA controls other sides well with a caveat that it is enforced post First level authentication; MS says that conditional access isn't intended to be an organization's first line of defense for scenarios like denial-of-service attacks, but it can use signals from these events to determine access
So then organization authentication policy.. biggest advantage of this is when set, auth attempts are stopped at first level, meaning pre authentication before EXO sends traffic to Azure AD or federated authority like ADFS or third party service OKTA. And you can guess now that brute force or password spray attacks won't reach the IdP (which might trigger account lock-outs due to incorrect login attempts)
Conditional Access will not stop a password spray but Authentication Policies stop pre-authentication requests, meaning a password spray using legacy authentication for a blocked policy will fail without the attacker receiving any indication that a password is good or bad.
thanks