IMAP and SMTP protocols are abused for password spraying attacks.

Microsoft Exchange users are being targeted by password praying attacks using basic authentication. Microsoft warned its users when Basic Auth was turned off in October 2022. This will prevent users to add passwords in apps where there is no two-step verification.

CISA and Cybersecurity informed people about the upcoming move in June. Basic Auth doesn’t support MFA (multifactor authentication). The Basic Auth plan was scheduled for the second half of 2021 due to the pandemic it was delayed to October 2022.

According to Greg, Microsoft Exchange Team, we turned off basic auth to protect user’s data and provide security to users as there were seen frequent password spray attacks.

The attacker uses a range of weak passwords to get access to the accounts. The attacker keeps on changing accounts and IP addresses to conceal the attacks.

According to Taylor, computers are good at numbers and this attack is all about numbers. The protocols attacked by the attackers are POP, IMAP, and SMTP. Microsoft Exchange has already closed the protocols for many tenants. Users who have enabled the protocols in their tenants are working but Microsoft offers a guide to users to disable protocols when not required. Taylor has suggested that people should use Microsoft Exchange authentication policies to protect their data. He suggested users should start with SMTP and IMAP as Microsoft is disabling many other protocols like RPC, MAPI, and remote Power shell.

Microsoft Team has provided a proper guide for the users to protect their data from password spraying attacks. It is also noted that Outlook uses multiple-factor authentication (MFA). According to the Microsoft Exchange team, SMTP is the most abused protocol and users should use policies on it to protect their data.