We have recently seen several indicators that show that many of our customers are being targeted by password spray attacks that leverage basic authentication.
The only reason we’re turning off basi...
Updated Oct 05, 2022
Version 4.0
Blog Post
Greg Taylor - EXCHANGE awesome post!
Its been a while, and as we know MSFT had blocked basic auth for all protocols https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication#messaging-protocols-that-support-legacy-authentication except SMTP AUTH. Now as reading here https://redcanary.com/blog/bav2ropc/ that Microsoft is silently ‘upgrading’ basic auth to OAuth 2.0 ROPC. Now if that is true, and nothing has changed in the meantime (and please correct my if I’m wrong on this one) a user eligible for SMTP AUTH would still be prone to password spraying attacks, HOWEVER if he had MFA configured, or conditional access rules at least on Office 365 Exchange Online that would require second factor, it would deny the authentication even if the adversary would successfully spray the victims password, because the ROPC flow does not support MFA, Conditional Access as outlined here https://learn.microsoft.com/en-us/entra/identity-platform/msal-authentication-flows#constraints-for-ropc
Also, I have a mailbox that has the per-mailbox setting disabled (SMTP AUTH). When trying to authenticate against it using some Python code using smtplib I’m getting ‘Authentication unsuccessful. SmtpClientAuthentication is disabled for the Mailbox’ and I get this regardless if I use the correct, or incorrect password. So could it by that for SMTP specifically the CASMailbox setting is just fine ? Where’s the same attempt for a mailbox that has SMTP AUTH enabled I get ‘Authentication unsuccessful, account locked’.
Any comments on this please?