The risk of legacy authentication - act now to block it

Legacy authentication protocols have long been a hacker’s delight – offering easy access to corporate data and mailboxes that completely bypass the protection that multi-factor authentication provides. Microsoft will be taking significant measures in October 2022 to address these risks, which, while needed, could prevent legitimate users from connecting to systems. In this article we’ll explore legacy authentication in more detail, show you exactly why it is such a security risk, and provide useful information as to how you can identify and block its use in your environment in a controlled way before Microsoft permanently disables basic authentication.

What is legacy authentication?

Legacy authentication refers to basic authentication, an industry-standard method for collecting username and password information. Basic authentication is typically used by mail protocols such as IMAP, SMTP, and POP3. Basic authentication only requires one method of authentication (user password) and is used exclusively by older mail clients that do not support modern authentication protocols.

What are the risks of legacy authentication?

Although legacy authentication is still commonly (and legitimately) used in many organisations it offers a major security weakness to hackers, providing them with ‘back door’ access to your corporate data. The reason for this is simple – unlike modern authentication protocols, legacy authentication methods neither understand nor respect multi-factor authentication (MFA). Here are some rather stark facts from Microsoft about legacy authentication:

• More than 99 percent of password spray attacks use legacy authentication protocols
• More than 97 percent of credential stuffing attacks use legacy authentication
• Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled

Let’s run through an example of why legacy authentication represents such a security risk. Through various nefarious means, a hacker has managed to obtain a list of compromised username and password combinations for your organisation – including some C-level executives. No doubt the information contained in the mailboxes of these users could be useful for any number of further hacking activities. “No problem though,” I hear you say, “all our users are protected by MFA, and MFA can block almost all account compromise attacks.” Whilst that statement is certainly true (over 99.9% true according to Microsoft), what is commonly overlooked is that MFA can only block account compromise attacks where modern authentication is being used. MFA is not effective against legacy authentication protocols.

Let’s return then to our example – your users are all protected by MFA but you haven’t blocked legacy authentication protocols in your tenant. Your hacker can simply use a valid username/password combination they have stolen with an older mail client that does not use modern authentication (such as Outlook 2010 and below). At that point, any per-user MFA or conditional access rules you have implemented to enforce MFA are completely bypassed. The hacker connects to the mailbox using password only and immediately synchronises the entire mailbox contents to their local device using a legacy authentication protocol such as SMTP, POP3, or IMAP. At that point you have effectively lost control of the data. Even if the compromised user changed their password or you block legacy authentication at tenant level (both of which would break the mail synchronisation), the hacker still has a full offline copy of the mailbox up to that point. All of which they could peruse at their leisure for whatever purpose they choose. Perhaps some data and identity theft or discovering sensitive information that could lead to blackmail and extortion attempts.

To summarise then – for MFA to be effective, you also need to block legacy authentication. Let’s look now at what Microsoft’s response is to legacy authentication and how you can identify and block the same in your own environment, before Microsoft does it for you!

What is Microsoft doing about legacy authentication?

Microsoft takes the threat of legacy authentication very seriously and has been raising awareness of the risk it poses for many years. At a proactive level, legacy authentication has been blocked by default as part of Azure Active Directory security defaults for all new tenants since October 2019. This is not enough however and many organisations with tenants older than this are still actively using legacy authentication protocols. As a response to this, Microsoft published a blog post in September 2021 which announced that, effective October 1, 2022, they will permanently disable basic authentication in all tenants, regardless of usage, with the exception of SMTP auth. At this time, all clients and applications that use basic authentication (except for SMTP auth.) will be affected, and they will be unable to connect. Any client or application using modern authentication will not be affected.

It is important to note that Exchange ActiveSync is also a legacy authentication method. I mention this because during my many customer engagements I still see frequent use of ActiveSync – predominately from mobile devices using older operating systems with the native mail client for iOS and Android. From October 2022, such devices will not be able to connect to their mail servers and retrieve or send messages. How many of your staff and services could be affected by this? The next section will help you answer these questions.

What can I do to identify and block legacy authentication?

There are several ways that legacy authentication can be blocked in Office 365. If you’ve enabled security defaults (either manually or your tenant was created since October 2019) then it will already be blocked for you at tenant level. It can also be blocked directly in Exchange Online. If your Microsoft licensing entitles you to Azure AD Premium P1 however, the best method to block legacy authentication is by using conditional access (CA). Unlike security defaults, CA policies allow you to configure exceptions. This could be useful where you are working towards modern authentication for specific services, and you need some extra time before blocking legacy auth access for them. Bear in mind however that from October 2022, this will only be possible for services authenticating via SMTP – as all other legacy auth protocols will be blocked by default for Exchange Online (without exception).

Use of legacy authentication can easily be identified in Azure Active Directory by viewing the sign-in logs. Add a new filter for Client app, then select the filter and tick all the options for Legacy Authentication Clients. This will show all your legacy authentication use – including the user authenticating, the device they are using, and the authentication protocol being used. Check for successful authentication using protocols such as POP3 and IMAP from locations that are atypical (or impossible) for the associated user. This is strong evidence that the account has been compromised and the user mailbox is being synchronised to an unauthorised device. It is recommended the user immediately resets their password in such cases. This will stop further successful synchronisations, although there is little you can do about the data that has already been leaked.

In addition to the Azure AD sign-in logs, Microsoft also provides additional tools to help identify legacy authentication use in your tenant. Given the high use of ActiveSync still seen in customer environments, I recommend you focus on this initially, as blocking it could impact many users and for mobile devices it is relatively straightforward to switch from ActiveSync to modern authentication. Apple has supported modern authentication in its native mail app since iOS 11 and should have switched users automatically to modern authentication since iOS 14. I have however seen instances where users have had to sign out of their corporate mail account and back in again before the switch to modern auth occurred. The situation isn’t quite so clear-cut for Android OS – given the wide variation in devices, operating systems, and native mail apps. For Android in particular (but also iOS), I highly recommend use of the official Microsoft Outlook mobile application. Not only does this fully support modern authentication, app protection policies can be used to encrypt, protect, and securely wipe corporate data stored within the Outlook application. This does not affect personal data stored on the device and does not require full enrolment of the device to your mobile device management (MDM) solution.