Attackers targeting accounts using legacy IMAP/POP/SMTP protocols in order to brute-force the accounts using common variations on usernames and passwords exposed in large credentialed dumps.
For MFA and Practice Protect polices to be effective, legacy authentication needs to be blocked at the Office 365 level. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them preferred entry points for adversaries attacking your organization.
The numbers on legacy authentication from an analysis of Microsoft Office 365 traffic are stark:
- More than 99 percent of password spray attacks use legacy authentication protocols
- More than 97 percent of credential stuffing attacks use legacy authentication
- Office 365 accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
Modern Outlook connections to Office 365 no longer use these protocols. However they are left on my default in Office 365.
Disabling theses protocols and blocking Basic Authentication on your organization’s cloud user accounts is a good measure as well as our recommendation to Federate your Office 365 with Practice Protect. You must take into account any 3rd party applications/devices using SMTP/IMAP to send or access your accounts, as these system may still be using Legacy Protocols and need to be migrated.
- Office 2016 installed on client computer
- Admin Account in O365
- Exchange Online PowerShell Module – Install Here
- Confirm if any User, Device or 3rd Party Application Is using Legacy Authentication. For Scan to Email Functions please see the following guide from Microsoft Option 3.
Block Legacy Protocols & Disable Basic Authentication
1. Open PowerShell and run Connect-ExchangeOnline
2. Login Box will appear. Login with Office 365 Global Admin Account.
3. You are now connected.
4. Verify list of Mailboxes with SMTP/IMAP/POP enabled. By default they are enabled. Run the below command.
5. Run the following command to disable IMAP/POP/SMTP for all Mailboxes.
Get-CasMailbox | set-CasMailbox -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true
Then Get-CasMailbox to verify
6. As this is a per user/Mailbox setting you will require to run this again each time you create a new account/mailbox. Below is the command for setting this per mailbox:
Set-CASMailbox -Identity firstname.lastname@example.org -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true
7. Now to disable POP and IMAP upon new mailbox creation run the below command.
Get-CASMailboxPlan | set-CASMailboxPlan -PopEnabled $false -ImapEnabled $false
8. Now to configure a Authentication Policy in Office 365 to block Basic Authentication. This will block access at the pre-authentication level. This protects against login request coming through legacy end-points.
From your PowerShell Session run the below commands in order. (wait for each to complete)
New-AuthenticationPolicy -Name “Block Basic Authentication”
This will create the Authentication Policy in Office 365.
Set-OrganizationConfig -DefaultAuthenticationPolicy “Block Basic Authentication”
This will set the policy for all new user accounts that are created in the future.
Get-User | Set-User -AuthenticationPolicy “Block Basic Authentication”
This will set the policy for all existing accounts. (takes 24hrs to take affect)
If you receive the above duplicate issue. You can run the below command instead:
$Users = Get-User
ForEach($User in $Users)
Set-User -Identity $User.GUID.Guid -AuthenticationPolicy “Block Basic Authentication”
9. Now verify if Modern Authentication is Enabled by Default
Run the following:
Get-OrganizationConfig | ft name, *OAuth*
If False Run the Following:
10. Legacy Protocols and Authentication are now Disabled.