Microsoft is Changing How it Authenticates Email: Explaining CISA’s Announcement


Back at RSA 2020, in the days before the pandemic drove most companies to adopt remote work, Microsoft explained that about half of 1% of the enterprise accounts in their system were compromised per month. The reason? 99.9% didn’t use multi-factor authentication (MFA).

Two years later, security professionals still promote MFA as fundamental to cyberattack risk mitigation. The Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, said that MFA can prevent 80-90% of cyberattacks. Neuberger stressed the importance of implementing MFA for key personnel and IT staff. With so many MFA technologies available, it would seem like something all organizations could implement quickly.

However, research found that 65% of IT and security professionals believe that their company’s authentication is not secure. Further, if the recent CISA Guidance on Switching to Modern Auth in Exchange Online Before October 1 (CISA Guidance) is any indication, the outlook isn’t good.

The catch is that the CISA Guidance isn’t about getting people to use MFA. Moving to Modern Auth doesn’t mean just getting end-users on board. It means changing configurations for your systems and applications too. For example, your Exchange server so that all email clients and apps use it, too.

In this article, we’ll explain what the CISA guidance says, how Modern Auth helps you meet Executive Order 14028 MFA requirements, and how to overcome challenges when moving away from legacy protocols.

What’s in the CISA Guidance?

The CISA Guidance is short, just two paragraphs with many links. It reminds companies that Microsoft will begin permanently disabling Basic Auth on October 1, 2022. Then, CISA reminds Federal Civilian Executive Branch (FCEB) agencies that Basic Auth doesn’t support MFA.

CISA requires FCEB agencies and recommends that all organizations prioritize moving to Modern Auth.

“Legacy” or Basic Authentication

Legacy, or Basic, authentication means that an application only sends a username and password with its requests. Often, the device stores or saves the credentials. Traditionally, most servers or services enable Basic Auth by default.

With Basic Auth, the email application sends the username and password to Exchange Online. In turn, Exchange Online forwards the credentials to the identity provider on behalf of the app.

Examples of protocols that use Basic Auth are:

      • MAPI
      • RPC
      • Offline Address Book (OAB)
      • Exchange Web Services (EWS)
      • POP
      • IMAP
      • Exchange ActiveSync (EAS)
      • Remote PowerShell
      • Outlook for Windows and Mac

    As explained in Microsoft’s update, they will randomly select tenants, send a 7-day warning notice, then turn off Basic Auth in the Exchange Online tenant. As soon as Microsoft disables Basic Auth in your tenant, clients still using it won’t be able to connect.

    They also made it crystal clear: no exceptions and no asking to be at the end of the line.

    Problems with Basic Auth

    During his 2020 RSA talk, Alex Weinert, Microsoft’s Director of Identity Security, pointed out legacy authentication protocols led to 99% of successful password spray and replay attacks. Since then, attacks targeting credentials have only increased. In late 2021, Microsoft Threat Intelligence Center (MTIC) released research that threat actor DEV-0343 targeted password spraying attacks against the defense sector.

    With password spraying attacks, threat actors take a collection of usernames and try commonly used passwords, hoping to gain access. Meanwhile, replay attacks use credentials stolen during a data breach, then use that list against another system. If someone reuses a personal password for their job, the attackers might get a “hit.”

    When you use Basic Auth for applications and devices, you expand your risk. Someone, somewhere is setting the password for these, possibly one that attackers already know. If your authentication server still uses Basic Auth, then you don’t have the additional verification at the machine level that you would with people using MFA.

    Modern Authentication

    What makes Modern Auth different? Microsoft uses this broader term to describe a combination of authentication and authorization methods between a client, like a laptop, and a server.

    It gives you a way to incorporate the security measures that rely on access policies, including:

        • Authentication: MFA, smartcard authentication, client certificate-based authentication
        • Authorization: Open Authorization (OAuth)
        • Conditional access policies: Mobile Application Management (MAM), Azure Active Directory (AAD) Conditional Access

      With modern authentication, you can create the identity and access building blocks of a zero trust architecture (ZTA). Further, you can put in place MFA so that you meet the Executive Order’s requirements.

      What You Need to Do Right Now

      In the middle of summer, October seems like a long way off. The reality is that you’ve got two months to prepare and make the necessary changes to keep these changes from impacting your operations.

      Locate Basic Auth Protocols

      Most organizations haven’t moved to Modern Auth because solutioning and changing to Modern Auth is time-consuming. However, start reviewing applications and services now for Basic Auth use.

      If you’re using AAD, you can review sign-in logs to identify applications and users authenticating with Basic Auth.

      Create a Plan

      If moving to Modern Auth was as easy as a click of the mouse, most companies would have done it already.

      To keep all your services up, you should:

          • Double check and enable modern authentication on your Exchange Server
          • Double check and enable modern authentication on your email clients and apps
          • Connect all Exchange-related PowerShell environments

      Create and Apply Authentication Policies

      Now that you’ve reviewed and updated everything, you can create new policies that block Basic Auth. Then, you assign the policy to users.

      If you’re using Conditional Access policies, you want to make sure that you run them in report-only mode before pushing them live. This way, you can double-check to ensure you caught all legacy authentication usage before blocking access.

      Confirm Changes

      After your changes are live, you want to confirm that they worked as intended. When the authentication policy blocks Basic Auth requests in Exchange Online, you’ll see a “401 Unauthorized” response.

      Prepare for Microsoft’s Changes with Securicon

      Agencies face several challenges when adopting MFA. The old saying, “an ounce of prevention is worth a pound of cure” is never more applicable than now. Since no one knows how Microsoft is going to randomly roll out its Basic Auth deprecation, you want to have a plan in place that won’t lead to a service outage. Plus, it gets you one step closer to meeting the MFA requirements outlined in the Executive Order.

      Securicon goes beyond providing information technology solutions. We help define, deliver, implement, and manage information security programs for U.S. Cyber Command and the Department of Homeland Security. Our experienced, knowledgeable staff uses sound, proven methodologies, and comprehensive strategies so that you can get the business and functional outcomes your organization needs. Contact us to learn more!