Once you have a look here, you might start to get worried – so it’s time to see if you can disable basic auth! This account is disabled, and if you look in the device info there’s no data. Here’s an example, where you can see the client app is ‘Other clients, IMAP’. Set the Status to ‘failure’ and apply, and see what’s there. If you want to see what’s going on for your tenant, go to the Azure portal and into Azure Active Directory > Monitoring – Sign-ins. If they manage to get the right password – which is very possible if people end up using an old password they used years ago, or password changes were disabled because you thought you were covered with 2FA – they now have valid credentials to get in and pretend to be that staff member, often to then send emails to all their contacts with a malicious link or some other scam. With the amount of leaks we see these days (register on Troy Hunt’s if you haven’t already), it’s likely attackers are hitting Microsoft servers with correct accounts of your staff members. What this leaves us with, is an internet exposed authentication system that accepts username and password logins without any other layers of authentication, even if you have 2FA and conditional access turned on.Īs per Microsoft’s documentation around disabling basic authentication covers, this lets attackers use brute force or spray attacks to try different credentials to get into your tenant. That’s great, but many systems weren’t built or haven’t been updated to support this – they’ll just fail when logging in. It’s too risky in that many ways, and things like 2FA and Conditional Access add an extra layer of security when logging in. In our modern world, that doesn’t work too well anymore.
This is because that’s the ‘standard’ way things have worked for a very long time – you want to get your emails, you provide a username and password and you’re done. This had been on my to-do list for a little while since I heard about it (mostly from Daniel Streefkerk who quite rightly has been drawing attention to this via Twitter, thanks! )– and it should be on yours too.īy default, Basic Authentication is allowed as an authentication method in Exchange Online.
0 kommentar(er)
