It has been a bad week for Microsoft Exchange. Following the confirmation of two new zero-day vulnerabilities, Microsoft is now telling Exchange Online users that customers are at risk from password spray attacks when using basic authentication (Basic Auth).
Microsoft is issuing caution following the ending support of Basic Auth on Exchange. That started happening on October 1, 2022. As for its replacement, Microsoft is recommending customers start using the more secure Modern Authentication (OAuth 2.0).
Microsoft will roll the depreciation into 2023. That means customers not ready can currently re-enable Basic Auth via the self-diagnostic tool. This approach will work until December before Microsoft closes support permanently in early January.
The company is now expanding on why it is removing Basic Auth from Exchange Online.
“The only reason we're turning off basic auth in Exchange Online is to protect your users and data. The evidence I see every day clearly indicates that password spray attacks are becoming more frequent,” says Greg Taylor of Microsoft's Exchange Team.
Password spraying is when an attacker attempts to breach many user accounts by blasting them with a list of common and/or weak passwords. Essentially, it is guessing but can work because of the number of attempts and if users have easy to crack password.
“It's a numbers game essentially, and computers are quite good at numbers. And as attacks go, it works,” adds Taylor.
Recent Exchange Issues
The company is tracking the flaws as CVE-2022-41040 and CVE-2022-41082, respectively. Microsoft describes the first as a Server-Side Request Forgery (SSRF) bug, while the second could allow threat actors to conduct a remote code execution (RCE) attack through PowerShell. However, an attack would require the malicious actor to have authenticated access to Microsoft Exchange Server.
Tip of the day: Did you know you can use Windowss built in antivirus Microsoft Defender also with scheduled scans? In our tutorial we give you step-by-step instructions on how to program your personal scan-schedule to keep your free of malware.