Attackers targeting accounts using legacy IMAP/POP/SMTP protocols in order to brute-force the accounts using common variations on usernames and passwords exposed in large credentialed dumps.
Modern Outlook connections to Office 365 no longer use these protocols. However they are left on my default in Office 365.
Disabling theses protocols on your organization’s cloud user accounts is a good measure as well as our recommendation to Federate your Office 365 with Practice Protect. You must take into account any 3rd party applications/devices using SMTP/IMAP to send or access your accounts, as these system may require these protocols.
- Office 2016 installed on client computer
- Admin Account in O365
- Windows Powershell installed on the client PC who will perform the instruction
- Confirm any Device or 3rd Party Application connecting to or as a User account. For Scan to Email Functions please see the following guide from Microsoft either Option 2 or 3 – Guide.
1. Login your local computer and open Windows Powershell and run the below command. Select Y, to enable windows PowerShell to tun signed scripts.
2. Run the below command. In the Windows PowerShell Credential Request dialog box, type the Admin account and password in O365, and then click OK.
$UserCredential = Get-Credential
3. Run the below command.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
4. Run the next command.
5. Verify list of Mailboxes with SMTP/IMAP/POP enabled. By default they are enabled. Run the below command.
6. Run the following command to disable IMAP/POP/SMTP for all Mailboxes.
Get-CasMailbox | set-CasMailbox -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true
Then Get-CasMailbox to verify
7. For any mailbox that your require IMAP/POP/SMTP enable you will need to run a separate command as below:
Set-CASMailbox -Identity email@example.com -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $false
The above example is enabling SMTP for the Mailbox of “firstname.lastname@example.org”. You will need to invert the command for the required protocol you would like to enable and replace the identity with the mailbox required.
8. As this is a per user/Mailbox setting you will require to run this again each time you create a new account/mailbox. Below is the command for setting this per mailbox:
Set-CASMailbox -Identity email@example.com -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true
9. If you want to Disable POP and IMAP upon mailbox creation you can run the below command. There is no equivalent option for SMTP Client Authentication so you will have to do it manually after mailbox creation.
Get-CASMailboxPlan | set-CASMailboxPlan -PopEnabled $false -ImapEnabled $false
10. Alternatively you can Enable Security Defaults in Azure. This blocks all legacy authentication protocols. For more information about Security Defaults, please check the Microsoft website.