CISA warns orgs to switch to Exchange Online Modern Auth until October

Microsoft Exchange

CISA has urged government agencies and private sector organizations using Microsoft’s Exchange cloud email platform to expedite the switch from Basic Authentication legacy authentication methods without multifactor authentication (MFA) support to Modern Authentication alternatives.

Basic Auth (proxy authentication) is an HTTP-based auth scheme used by apps to send credentials in plain text to servers, endpoints, or online services.

The alternative, Modern Auth (Active Directory Authentication Library and OAuth 2.0 token-based authentication), uses OAuth access tokens with a limited lifetime that cannot be re-used to authenticate on other resources besides those they were issued for.

Apps using Basic Auth allow attackers to guess credentials in password spray attacks or capture them in man-in-the-middle attacks over TLS. To make things worse, when using basic auth, multifactor authentication (MFA) is quite complicated to enable, and, as a result, it often isn’t used at all.

Modern Auth switch urgently needed

Federal Civilian Executive Branch (FCEB) agencies were also advised to block Basic auth after migrating to Modern Auth, which, according to Microsoft, will make it harder for threat actors to pull off successful password spray and credential stuffing attacks.

According to CISA’s guidance, this can be done either by creating an authentication policy for all Exchange Online mailboxes from M365 Admin Center’s Modern Auth Page (details here) or a Conditional Access policy in Azure Active Directory (AAD) using the AAD Admin Center (instructions here).

“Basic Auth is a legacy authentication method that does not support multifactor authentication (MFA), which is a requirement for Federal Civilian Executive Branch (FCEB) agencies per Executive Order 14028,” CISA said on Tuesday.

“Although this guidance is tailored to FCEB agencies, CISA urges all organizations to switch to Modern Auth before October 1 and enable MFA.”

Basic Auth will be disabled in October

CISA’s warning comes after Microsoft also reminded customers in May that it will begin disabling Basic Authentication in random tenants worldwide starting with October 1, 2022.

Microsoft first announced that it would disable Basic Auth in Exchange Online for all protocols in all tenants in September 2021.

“We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack,” the company said.

Redmond plans to disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.

While SMTP AUTH has already been disabled in millions of tenants that weren’t using it, Microsoft said it will not disable it where it’s still in use.

A Guardicore report published in September 2021 further highlights the importance of moving Exchange Online users away from basic auth.

Amit Serper, Guardicore’s AVP of Security Research at the time, revealed how hundreds of thousands of Windows domain credentials were leaked in plain text to external domains by misconfigured email clients using basic auth.