New Microsoft Report Suggests Basic Authentication as Source of Business Email Compromise (BEC) Attacks

Microsoft Examines Basic Authentication's Role in BEC Attacks

In late 2019, Microsoft announced their intent to remove basic authentication from Exchange Online protocols. Though for many organizations using Microsoft 365, a combination of basic authentication and connection protocols, like POP3 and IMAP4, is still standard practice for accessing Exchange Online mailboxes.

A recent report released by the Microsoft’s Threat Intelligence Center (MSTIC) examines how attackers are using the vulnerabilities from basic authentication to facilitate business email compromise (BEC) attacks. Microsoft explains how attackers use POP3 or IMAP4 to test user credentials gained from phishing. Attackers then use these credentials to sign into mailboxes and typically create inbox rules, like forwarding copies of messages containing terms like “invoice” and then another rule to clean the mailbox so the user doesn’t see their messages being forwarded in their sent items folder. Read the full Microsoft investigation here.

Microsoft has made previous attempts to curtail malicious activity like this. An update to the Exchange Online outbound spam filter policy, released in late 2020, set the default to block automatic forwarding of emails from user mailboxes. The recent article on this subject features a checklist for tenant administrators to help with exceptions to the default. To see the checklist, read the full article here.

The article also states “Moving to modern authentication (MFA) reduces the likelihood of success for a password spray attack. Better again, using multi-factor authentication blocks 99.9% of account compromise attacks.” Security defaults like multi-factor authentication (MFA) are essential to protecting user accounts and your organizations vital data. For more information on MFA, read our blog exploring the differences between Microsoft 365 user-based MFA and Azure MFA.

Looking for Additional Ways to Security and Control to Your Organizations' IT Management?

Visit our Protect Hybrid Identities page, to see how Cayosoft can help you manage, monitor, and recover your Microsoft platforms across on-premises Active Directory and Azure Active Directory, in a unified solution.

Ready to Learn More?

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.