Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 30/06/2022 – Switch to Exchange Online Modern Auth
Black Arrow Cyber Advisory 30/06/2022 – Switch to Exchange Online Modern Auth
Executive Summary
Microsoft is permanently disabling ‘Basic Authentication’ for Exchange Online (M365) in October 2022, which will prevent any users from accessing email on the service if they are using a ‘Basic Authentication’ method. ‘Basic authentication’ allows for legacy applications that do not support ‘Modern Authentication’ to access email on Exchange Online, but comes with several security risks including no full support for multi-factor authentication.
What’s the risk to me or my business?
If any users are currently using ‘Basic Authentication’ to access emails, using protocols such as POP, IMAP and Active Sync, then they will be unable to access email after Microsoft disables this features on October 01 2022. Due to security concerns with ‘Basic Authentication’, organisations should be making every effort to move to ‘Modern Authentication’ for Exchange Online.
What can I do?
Work with your MSP to firstly check which users are still currently using ‘Basic Authentication’, and complete migration work to applications which support ‘Modern Authentication’. Once it has been confirmed that no users are using ‘Basic Authentication’, then this method should be disabled.
Technical Summary
Microsoft has already rolled out updates for many applications including Outlook for Desktop and the various Outlook mobile applications, meaning users may have already moved onto ‘Modern Authentication’. The guidance provided by CISA contains details on how to check for current usage of ‘Basic Authentication’, and putting in an authentication policy, or a conditional access policy to prevent Basic Authentication from being used going forward.
Further details can be found here: Action Recommended: Switch to Modern Authentication in Exchange Online Before Basic Authentication Deprecation (cisa.gov)
Need help understanding your gaps, or just want some advice? Get in touch with us.