HomeWinBuzzer NewsMicrosoft: Exchange Online Users are At Risk of Password Spraying

Microsoft: Exchange Online Users are At Risk of Password Spraying

Microsoft says Exchange Online users who still use Basic Auth are at risk from more frequent password spraying attacks.


It has been a bad week for . Following the confirmation of two new zero-day vulnerabilities, is now telling users that customers are at risk from password spray attacks when using basic (Basic Auth).

Microsoft is issuing caution following the ending support of Basic Auth on Exchange. That started happening on October 1, 2022. As for its replacement, Microsoft is recommending customers start using the more secure Modern Authentication (OAuth 2.0).

Microsoft will roll the depreciation into 2023. That means customers not ready can currently re-enable Basic Auth via the self-diagnostic tool. This approach will work until December before Microsoft closes support permanently in early January.

The company is now expanding on why it is removing Basic Auth from Exchange Online.

“The only reason we're turning off basic auth in Exchange Online is to protect your users and data. The evidence I see every day clearly indicates that password spray attacks are becoming more frequent,” says Greg Taylor of Microsoft's Exchange Team

Password spraying is when an attacker attempts to breach many user accounts by blasting them with a list of common and/or weak passwords. Essentially, it is guessing but can work because of the number of attempts and if users have easy to crack password.

“It's a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works,” adds Taylor.

Recent Exchange Issues

Microsoft recently confirmed there are two new zero-day vulnerabilities in .

The company is tracking the flaws as CVE-2022-41040 and CVE-2022-41082, respectively. Microsoft describes the first as a Server-Side Request Forgery (SSRF) bug, while the second could allow threat actors to conduct a remote code execution (RCE) attack through PowerShell. However, an attack would require the malicious actor to have authenticated access to Microsoft Exchange Server.

Yesterday it emerged scammers are attempting to sell fake proof-of-concept exploits for the vulnerabilities on GitHub.

Tip of the day: Did you know you can use Windowss built in antivirus Microsoft Defender also with scheduled scans? In our tutorial we give you step-by-step instructions on how to program your personal scan-schedule to keep your free of malware.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News