Do you manage your authentication in Office 365 correct? – otherwise, Cybercriminals will benefit from this, which can mean everything from disruption of operation to loss of confidential information.
Azure Active Directory is the ‘Identity Service‘ that provides access to Office 365. So, this is where authentication is done to access the various Office 365 services and other integrated Microsoft Cloud services.
However, there are two types of Authentication in Office 365: ‘Basic Authentication’ (also known as ‘Legacy Authentication’) and ‘Modern Authentication‘.
‘Legacy Authentication’ is performed towards the individual service like ‘Exchange Online’, where ‘Modern Authentication‘ is against the ‘Identity Service’ Azure AD (ADAL and Oauth2)
When an application uses ‘Legacy Authentication‘, (for example Outlook 2010), it connects to Exchange Online, and the Outlook client sends the user credentials to Exchange Online. Exchange Online performs a Proxy authentication against the ‘Identity Service’.
If authentication succeeded, the response is returned to Exchange Online, which then provides access for the Outlook client.
This is not good. This is too risky in many ways, and ‘Multi-factor Authentication’ (MFA) and ‘Conditional Access‘ (CA) are actions that contribute with an extra layer of security when users log on. However, CA will not be ‘activated’ in the proxy authentication that is done directly against the service.
So that leaves us with an ‘Authentication’ method which simply accepts ‘Username’ and ‘Password’ login – without additional layers of authentication.
‘Legacy Authentication’ allows Cybercriminals to make ‘Brute force’ attacks or ‘Password-Spray’ attacks to get access to your Office 365 accounts.
Some email clients support “Modern Authentication”, so the first step is to find out which Clients your organization use, and then get approval for ‘only’ using one of these clients:
- Outlook 2013 or later (Outlook 2013 requires a registry key change for supporting ‘Modern Authentication’)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
If you’re curious to see what’s going on in your environment regarding ‘Legacy Authentication’, you can navigate to your Azure AD portal -> Monitoring -> Sign-ins and use the ‘Filter‘ option and set the Status to ‘Failure‘ – (NB! You need Azure AD P1 license)
Block ‘Legacy Authentication’ in your Office 365.
(NB! – If it is Office 2010 that is installed in your organization, an upgrade is necessary).