Sequretek Advisory - Deprecation of Basic Authentication in Exchange Online

Microsoft announced disabling basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell to improve Exchange Online security.

• Basic authentication (aka legacy authentication or proxy authentication) is an HTTP-based auth scheme applications use for sending credentials in plain text to servers, endpoints, or various online services.

• Unfortunately, this allows threat actors to steal credentials in man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal clear text credentials from apps using basic auth via several tactics, including social engineering and info-stealing malware.

• Microsoft now has made changes such as removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.

• Microsoft has disabled SMTP AUTH in all tenants in which it is not being used.

• The deprecation of basic authentication will also prevent the use of app passwords with apps that don't support two-step verification.

Sign Up Here for Download