Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Microsoft Warns Exchange Online Basic Auth will be Disabled

Microsoft Warns Exchange Online Basic Auth will be Disabled

Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.

This reminder comes after the company’s September announcement and after seeing that there are still lots of customers who haven’t yet moved their clients and apps to Modern Authentication.

Basic Authentication (aka proxy authentication) is an HTTP-based auth scheme apps use to send locally stored credentials in plain text to servers, endpoints, or online services.

This allows attackers to capture credentials via man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal the clear text credentials from apps using basic auth using various tactics, including info stealing malware and social engineering.

Also Read: Management Training PDF for Effective Managers and Leaders

Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime that can’t be re-used to authenticate on other resources besides those they were issued for.

To make things even worse, enabling multi-factor authentication (MFA) is quite complicated when using basic auth, and it often isn’t used at all.

After toggling on modern auth, enabling and enforcing MFA become a lot less complicated, allowing for better security in Exchange Online as a direct and immediate result.

“As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing,” the Exchange team said.

“We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.”

Microsoft will disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.

SMTP AUTH has already been disabled on millions of tenants that weren’t using it and Microsoft will not disable it where it’s still in use.

To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1. – The Exchange Team

Why is Microsoft deprecating basic auth?

There are many reasons why Redmond’s switch to Exchange Online modern authentication in all tenants is the right one, some of them already detailed above.

Also Read: PDPA Laws And Regulations; A Systematic Guidelines In Singapore

However, a Guardicore report from September 2021 further highlights the importance of pushing as many Exchange Online users away from basic auth.

Amit Serper, at the time Guardicore’s AVP of Security Research, showed how hundreds of thousands of Windows domain credentials were leaked in plain text to external domains by misconfigured email clients using basic auth.

To disable Exchange Online Basic Auth before Microsoft fully decommissions it, you have to create and assign auth policies to individual users using the procedure detailed on the Exchange Online support website.

“There is no way to request an exception after October. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date,” the Exchange team warned.

“If you want Basic Auth to be disabled at a time of your choosing (either now, or as soon as you are ready), use Authentication Policies.”

You can find more info on how to prepare for October’s Basic Auth deprecation and the best way to disable Basic Auth beforehand in the blog post published by The Exchange Team today.

Update May 0, 14:48 EDT: Corrected paragraph detailing basic auth risks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us