"Microsoft: Watch Out for Password Spray Attacks – Especially You, Basic Auth"

Microsoft has issued a warning to Exchange Online users about an increase in password spray attacks, urging those who have yet to disable Basic Auth to set up authentication policies. Password spray attacks, a type of brute-force tactic in which an attacker "sprays" a targeted system with many usernames and a list of common passwords, are hitting enterprises using Basic Auth. Microsoft has been transitioning popular software offerings such as Outlook Desktop and Outlook Mobile App away from Basic Auth in favor of more secure user authentication methods for the past three years. Basic Auth will be disabled for tools such as Messaging Application Programming Interface (MAPI), Offline Address Book, Exchange Web Services, and Exchange ActiveSync beginning in October. Over the last three years, millions of users have switched from Basic Auth to Modern Auth, and Microsoft has disabled it in millions of tenants. Despite reminders, many people are still using it, and they have until January 2023 before Basic Auth is turned off for all protocols. Microsoft had planned to phase out Basic Auth before the end of the year but knew that many people were still using the legacy authentication method despite warnings. Basic Auth entails sending credentials in plain text to systems. However, it lacks support for multi-factor authentication (MFA), making it difficult for organizations that want to use both. According to the software company, Modern Auth encompasses a variety of security methods, such as MFA, smart cards, Open Authorization, mobile access management, and certificate-based authentication. This article continues to discuss Microsoft urging the use of authentication policies to combat password spray attacks leveraging Basic Auth. 

The Register reports "Microsoft: Watch Out for Password Spray Attacks – Especially You, Basic Auth"