Kill M365 Password Spraying: Why You Must Disable Exchange SMTP Basic Auth

🛡️ Summary

Password spraying attacks thrive on legacy protocols like Basic Authentication. While Microsoft disabled Basic Auth for most Exchange Online endpoints in 2022, SMTP AUTH remains a critical exception—and a prime target. This post explains why, and how to audit, restrict, and shut it down.

🔍 What Are Exchange Authentication Policies?

Exchange authentication policies are configuration objects in Exchange Online that allow administrators to disable Basic Authentication per protocol for specific users or groups. These policies operate at the protocol layer, preventing Basic Auth requests from ever reaching Microsoft Entra ID.

This is different from Conditional Access, which evaluates sign-in attempts at the identity layer. Authentication policies are more effective for legacy protocol hardening because they cut off Basic Auth at the source.

🔓 Why Basic Authentication Is Dangerous

  • Sends credentials in plaintext (Base64), easily intercepted.
  • Doesn’t support MFA or Conditional Access.
  • Is the primary vector for password spraying attacks, especially via SMTP AUTH.

🔁 How Password Spraying Exploits SMTP AUTH

  1. SMTP AUTH accepts Basic Auth if not explicitly disabled.
  2. Attackers send thousands of login attempts using common passwords across many accounts.
  3. Even if Conditional Access blocks the sign-in, the attacker learns which passwords are valid.
  4. This causes:
    • Credential discovery (valid passwords found)
    • Mass account lockouts (especially in hybrid environments)
    • Alert fatigue (thousands of failed logins flood your SIEM)

📡 Exchange Online Protocols and Basic Authentication Status

Protocol / Endpoint Description Basic Auth Support
Exchange ActiveSync (EAS)Mobile sync for mail, calendar, contacts❌ No (Microsoft disabled in 2022)
AutodiscoverService discovery for Outlook and mobile clients❌ No (Microsoft disabled in 2022)
Exchange Web Services (EWS)Used by Outlook, third-party apps, and integrations❌ No (Microsoft disabled in 2022)
IMAP4Legacy email retrieval❌ No (Microsoft disabled in 2022)
POP3Legacy email retrieval❌ No (Microsoft disabled in 2022)
SMTP AUTHUsed for client submission (e.g., printers, apps)✅ Yes (only if explicitly re-enabled)
MAPI over HTTPOutlook desktop connectivity❌ No (Microsoft disabled in 2022)
Outlook for Windows/MacFull client experience❌ No (Microsoft disabled in 2022)
Offline Address Book (OAB)Downloadable address book for Outlook❌ No (Microsoft disabled in 2022)
Remote PowerShellAdmin access via PowerShell❌ No (Microsoft disabled in 2022)

✅ How to Disable SMTP AUTH Securely

🔍 Step 1: Audit SMTP AUTH Usage

Before disabling SMTP AUTH, identify accounts that legitimately use it (e.g., printers, scanners, apps):

  • Go to Microsoft Entra Admin Center → Sign-ins
  • Add the Client App column
  • Filter for “SMTP” or “Other clients” to spot Basic Auth usage

🛡️ Step 2: For Legitimate SMTP AUTH Users

If SMTP AUTH is required for specific accounts:

  1. Create an Exchange Authentication Policy that allows only SMTP AUTH:

New-AuthenticationPolicy -Name "Allow SMTP AUTH Only"
Set-AuthenticationPolicy -Identity "Allow SMTP AUTH Only" `
  -AllowBasicAuthSmtp:$true `
  -AllowBasicAuthPop:$false `
  -AllowBasicAuthImap:$false `
  -AllowBasicAuthMAPI:$false `
  -AllowBasicAuthWebServices:$false `
  -AllowBasicAuthAutodiscover:$false `
  -AllowBasicAuthActiveSync:$false `
  -AllowBasicAuthOfflineAddressBook:$false `
  -AllowBasicAuthOutlookService:$false

Set-User -Identity user@domain.com -AuthenticationPolicy "Allow SMTP AUTH Only"
  1. Create a Conditional Access Policy:
    • Target the SMTP AUTH user(s)
    • Permit sign-in only from a named location with specific IP ranges (e.g., printer subnet)
    • Block all other locations

🚫 Step 3: Disable SMTP AUTH Tenant-Wide

Once legitimate users are scoped and protected:

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

🔎 Step 4: Re-Audit to Verify Effectiveness

After enforcement:

  • Recheck Microsoft Entra sign-in logs for SMTP AUTH activity
  • Confirm that only scoped accounts are authenticating—and only from permitted IPs
  • Validate that all other SMTP AUTH attempts are blocked or absent

🧠 Final Thoughts

SMTP AUTH is the last standing Basic Auth endpoint in Exchange Online—and the most abused. If you haven’t disabled it, your tenant is still vulnerable to password spraying, credential theft, and alert fatigue.

Use Exchange authentication policies and Conditional Access to scope legitimate use. Then shut down SMTP AUTH tenant-wide. Finally, audit to confirm effectiveness.

📅 Microsoft Deprecation Notice:
Basic Authentication for SMTP AUTH in Exchange Online will be permanently disabled by April 30, 2026. Deactivation begins on March 1, 2026, and Basic Auth requests will be rejected. Organizations must migrate to OAuth 2.0 or supported alternatives before this deadline.
View Microsoft’s roadmap

Comments

Post a Comment

Popular posts from this blog

Automating Azure AD B2B Invites with Approval Workflow

Image
The Problem Users want to collaborate with external parties. You have a few options to accomplish this: Share anonymously Share with any authenticated user Share with existing authenticated user Share with organization only None of these work well when security and scale are required. The best of both worlds would be to allow your end users to request access for an external user and then to kick off an approval workflow. If approved by the appropriate parties, a B2B invite will be automatically sent to the desired email address. Once invited, the user can then share with that account. This is assuming you have your org configured so sharing is only possible with existing external accounts. The Solution With an Office 365 subscription, you get a product called Microsoft Flow. Most people just equate this to being Microsoft’s attempt at creating an  IFTT  knock off. However, it’s so much more than that. You can, in essence, build out an entirely server-less API that you can inte...
Read more

UniFi Gateway + NordVPN + AdGuard: Domain-Based Routing Setup

🔐 Summary If you're running a UniFi Gateway and want to route traffic for specific domains (like geo restricted streaming) through a NordVPN tunnel, while using AdGuard Home for DNS filtering, this guide walks you through the full configuration — from VPN client setup to DNS forwarding and policy-based routing. In this post, I'll use  example.com  to represent a domain that I want to route across a VPN tunnel. Note: This method can work with any combination of VPN provider and External DNS.  If you're just using the Unifi GW for DNS, it's even simpler. 🧭 Overview Goal: Route all traffic to example.com  and its subdomains through NordVPN. Tools Used: UniFi Cloud Gateway (Next-Gen UniFi gateway or UniFi Cloud Gateway) NordVPN (OpenVPN) AdGuard Home (DNS filtering and conditional forwarding) 1. Configure NordVPN as a Client on UniFi Gateway ✅ UI-Based Setup (No SSH Required) Navigate to UniFi Network > Sett...
Read more