The SMTP Authentication protocol (in Exchange Online) is the most attacked (legacy) protocol now a days. This happened since Microsoft is currently disabling all other legacy authentication protocols in Exchange Online, except for SMTP Authentication. Legacy Authentication protocols are unsecure protocols which do not support Multi Factor Authentication (MFA)!

Attackers love these unsecure protocols and can access these with only username and password combinations. These credentials are often to weak or leaked during a hack around the internet. The leaked credentials are mostly sold on dark-net websites and used by people with (mostly) bad intensions.

Microsoft: Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. For more information, see the article Deprecation of Basic authentication in Exchange Online

If your still allowing Legacy Authentication in your tenant, you should disable it as soon as possible. If you don’t Microsoft will do it for you. Read this article on how to disable Legacy Authentication.

Except for SMTP Authentication

In this blog I’m talking about specifically the SMTP protocol. This protocol is not disabled by Microsoft or by the Conditional Access Policy (template). The reason behind, is that many applications or printers are still using SMTP Authentication. Blocking SMTP Authentication can interrupt your business processes. Therefor, Microsoft decided to not disable SMTP Authentication for tenants who are actively using it. If Microsoft found out you’re not using SMTP Authentication, they will disable it.

Note: Important to know, is that if only 1 out of 10.000 users (for example) is using SMTP Authentiction the will NOT disable it for the entire tenant. This means that 9999 identities are left unprotected (at risk) for no reason!

Are we under attack?

Figuring out if SMTP Authentication is under attack, is quite simple. This can be done via Azure AD Sign-in logs.

Navigate to the Azure Portal -> Azure Active Directory -> Sign-in logs or click here.

  • Navigate to the Azure Portal -> Azure Active Directory -> Sign-in logs or click here.
  • Pick a filter for Date -> 1 month (for example)
  • Select new filter -> Client app -> Select SMTP -> Apply

If you see many failed authentications coming from unexpected countries or locations within a short period (seconds) you are probably under attack. I’ve seen this happening more and more in tenants where legacy authentication is blocked.

Are we using SMTP Authentication?

Find out using Azure AD Sign-in logs! Filter for succeeded logons using the SMTP protocol.

  • Navigate to the Azure Portal -> Azure Active Directory -> Sign-in logs or click here.
  • Pick a filter for Date -> 1 month (for example)
  • Select new filter -> Client app -> Select SMTP -> Select Status filter -> Select Success -> Apply

If you see any succeeded logons to Office 365 Exchange Online you are still using SMTP Authentication. Write down all the users who are using SMTP Authentication. These are the only ones who need SMTP Authentication to be enabled. All other users, not using SMTP Authentication should have SMTP Authentication set to disabled.

Disable SMTP Authentication (safely)

Find all mailboxes which have SMTP Authentication enabled. Best result would be nothing 🙂

#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>

#Query mailboxes with SMTP Auth enabled
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $false}

Find all mailboxes which have SMTP Authentication disabled. When there’s no result you have probably disabled SMTP Authentication tenant wide which is good!

#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>

#Query mailboxes with SMTP Auth disabled.
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $true}

Find all mailboxes which are managed by the tenant wide setting. All mailboxes shown with an empty result in the SmtpClientAuthenticationDisabled block are controlled by the tenant wide configuration.

#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>

#Query mailboxes managed by tenants wide SMTP config
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $null}

To disable SMTP Authentication for your entire tenant/organization you can run the following cmdlet.

Reminder: The users which where still using SMTP Authentication will be enabled again after we have disabled SMTP Authentiction for the entire tenant/organization.

#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>

#Disable SMTP Authentication for ALL mailboxes (tenant wide)
Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Once completed, verify that SMTP Authentication is disabled for the entire tenant!

#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>

#Query SMTP Authentication state
Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

If the result shows the same as my output below, you have successfully disabled SMTP Authentication for the entire tenant/organization.

Enable SMTP Authentication for specific users

As we (could) have seen before in the Azure AD Sign-in logs, some users could still be using SMTP Authentication for a good reason. Investing time in migrating these applications or devices would be the recommended next step. Unfortunately this takes time and therefor we have to enable SMTP Authentication for these specific users again.

Pick the cmdlet below and modify the user@identity.com to the user who still needs SMTP Authentication. Run the cmdlet and you’re done.

#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>

#Enable SMTP Auth for specific mailbox
Set-CASMailbox -Identity user@identity.com -SmtpClientAuthenticationDisabled $false

We have now disabled SMTP Authentication on all mailboxes via the tenant/organization wide configuration, except for the users who still need SMTP Authentication.

Last but not least a reminder to investigate if the devices or applications which are using SMTP Authentication can be migrated to modern authentication.

Rerefences

Block legacy authentication – Azure Active Directory – Microsoft Entra | Microsoft Learn

Enable or disable SMTP AUTH in Exchange Online | Microsoft Learn

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy

How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Learn

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + twelve =