The SMTP Authentication protocol (in Exchange Online) is the most attacked (legacy) protocol now a days. This happened since Microsoft is currently disabling all other legacy authentication protocols in Exchange Online, except for SMTP Authentication. Legacy Authentication protocols are unsecure protocols which do not support Multi Factor Authentication (MFA)!
Attackers love these unsecure protocols and can access these with only username and password combinations. These credentials are often to weak or leaked during a hack around the internet. The leaked credentials are mostly sold on dark-net websites and used by people with (mostly) bad intensions.
Microsoft: Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. For more information, see the article Deprecation of Basic authentication in Exchange Online
If your still allowing Legacy Authentication in your tenant, you should disable it as soon as possible. If you don’t Microsoft will do it for you. Read this article on how to disable Legacy Authentication.
Except for SMTP Authentication
In this blog I’m talking about specifically the SMTP protocol. This protocol is not disabled by Microsoft or by the Conditional Access Policy (template). The reason behind, is that many applications or printers are still using SMTP Authentication. Blocking SMTP Authentication can interrupt your business processes. Therefor, Microsoft decided to not disable SMTP Authentication for tenants who are actively using it. If Microsoft found out you’re not using SMTP Authentication, they will disable it.
Note: Important to know, is that if only 1 out of 10.000 users (for example) is using SMTP Authentiction the will NOT disable it for the entire tenant. This means that 9999 identities are left unprotected (at risk) for no reason!
Are we under attack?
Figuring out if SMTP Authentication is under attack, is quite simple. This can be done via Azure AD Sign-in logs.
Navigate to the Azure Portal -> Azure Active Directory -> Sign-in logs or click here.
- Navigate to the Azure Portal -> Azure Active Directory -> Sign-in logs or click here.
- Pick a filter for Date -> 1 month (for example)
- Select new filter -> Client app -> Select SMTP -> Apply
If you see many failed authentications coming from unexpected countries or locations within a short period (seconds) you are probably under attack. I’ve seen this happening more and more in tenants where legacy authentication is blocked.
Are we using SMTP Authentication?
Find out using Azure AD Sign-in logs! Filter for succeeded logons using the SMTP protocol.
- Navigate to the Azure Portal -> Azure Active Directory -> Sign-in logs or click here.
- Pick a filter for Date -> 1 month (for example)
- Select new filter -> Client app -> Select SMTP -> Select Status filter -> Select Success -> Apply
If you see any succeeded logons to Office 365 Exchange Online you are still using SMTP Authentication. Write down all the users who are using SMTP Authentication. These are the only ones who need SMTP Authentication to be enabled. All other users, not using SMTP Authentication should have SMTP Authentication set to disabled.
Disable SMTP Authentication (safely)
Find all mailboxes which have SMTP Authentication enabled. Best result would be nothing 🙂
#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
#Query mailboxes with SMTP Auth enabled
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $false}
Find all mailboxes which have SMTP Authentication disabled. When there’s no result you have probably disabled SMTP Authentication tenant wide which is good!
#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
#Query mailboxes with SMTP Auth disabled.
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $true}
Find all mailboxes which are managed by the tenant wide setting. All mailboxes shown with an empty result in the SmtpClientAuthenticationDisabled block are controlled by the tenant wide configuration.
#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
#Query mailboxes managed by tenants wide SMTP config
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $null}
To disable SMTP Authentication for your entire tenant/organization you can run the following cmdlet.
Reminder: The users which where still using SMTP Authentication will be enabled again after we have disabled SMTP Authentiction for the entire tenant/organization.
#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
#Disable SMTP Authentication for ALL mailboxes (tenant wide)
Set-TransportConfig -SmtpClientAuthenticationDisabled $true
Once completed, verify that SMTP Authentication is disabled for the entire tenant!
#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
#Query SMTP Authentication state
Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
If the result shows the same as my output below, you have successfully disabled SMTP Authentication for the entire tenant/organization.
Enable SMTP Authentication for specific users
As we (could) have seen before in the Azure AD Sign-in logs, some users could still be using SMTP Authentication for a good reason. Investing time in migrating these applications or devices would be the recommended next step. Unfortunately this takes time and therefor we have to enable SMTP Authentication for these specific users again.
Pick the cmdlet below and modify the user@identity.com to the user who still needs SMTP Authentication. Run the cmdlet and you’re done.
#Prerequisites and Connection
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN>
#Enable SMTP Auth for specific mailbox
Set-CASMailbox -Identity user@identity.com -SmtpClientAuthenticationDisabled $false
We have now disabled SMTP Authentication on all mailboxes via the tenant/organization wide configuration, except for the users who still need SMTP Authentication.
Last but not least a reminder to investigate if the devices or applications which are using SMTP Authentication can be migrated to modern authentication.
Note: Please take a look at this reference: This will guide you trough the process of disabling SMTP Auth via an Authentication Policy. This is probably a better way of blocking SMTP Auth. Disable Basic authentication in Exchange Online | Microsoft Learn
Rerefences
Block legacy authentication – Azure Active Directory – Microsoft Entra | Microsoft Learn
Enable or disable SMTP AUTH in Exchange Online | Microsoft Learn
Very informative article Joey. One thing to clarify, if we disable SMTP for entire tenant, will there be an impact for those SMTP needed accounts until we enable it selectively?
It will be disabled for all users. Also the ones who are still using SMTP auth. Therefor you should allow it immediately for those who need it.
Hi, very good articel! What about modern authenticationand its support for SMTP AUTH. I’ve seen cases where as mentione here https://redcanary.com/blog/bav2ropc/ Microsoft ‘upgrades’ basic auth via SMTP AUTH to modern auth (OAuth 2.0 ROPC flow that is), which in case of MFA requirement say for Exchange Online with a conditional access policy would block that request altogether as ROPC is not supporting MFA and would simply block the request.