Microsoft has announced that it is following up on its three-year plan to improve cybersecurity by moving away from Basic Authentication – typically refereed to as “Basic Auth” – for specific protocols within Exchange Online on October 1. This will affect many companies that use Microsoft emails, if they have not already moved away from Basic Auth practices.
However, there will be a temporary and one-time option to extend the use of Basic Auth through the end of 2022, but it requires a self-service diagnostic to be performed.
Why The Change?
Basic Auth is considered antiquated in that it does not naturally support multi-factor authentication and cannot keep up with evolving cybercrime tactics. While it may suffice for certain users, Microsoft feels that the best course of action to protect the data of its users is to discourage and eventually disallow its use on its Exchange Online portals.
Indeed, last summer the US Cybersecurity and Infrastructure Security Agency issued an advisory that federal executive civilian agencies such as the Federal Communications Commission, Federal Trade Commission and Homeland Security have been required to move off of Basic Auth.
Many companies are migrating to the Cloud. Others are expanding their work-from-home models. Both dynamics are examples of scenarios that could leave a company still operating on Basic Auth to be vulnerable of cybercriminals attempting to steal their credentials and compromise them financially.
Moving off of Basic Auth on your own terms will be considerably more convenient than facing an outage. Microsoft has determined that they have provided enough warnings and hopes that effected users will act soon rather than be caught off guard.
“We recognize that unfortunately there are still many tenants unprepared for this change,” the Exchange Team wrote in a blog post. “Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.”
The Deadline
Microsoft has stated that it will start disabling Basic Auth for protocols in Exchange Online including MAPI, RPC, Offline Address Book, Exchange Web Services, POP, IMAP, Exchange ActiveSync and Remote PowerShell on October 1.
If you have already removed any dependency on Basic Auth, you will not be affected.
For more information on how to act in preparation for this deadline, click here to read Microsoft’s summary of the Basic Auth removal.
An Extension Is Available
Acting as a form of compromise of the deadline for unprepared users, Microsoft is offering a one-time self-service diagnostic, which will re-enable Basic Auth for any protocol they need. This will only work once per protocol. It will be a temporary extension that will last through the remainder of 2022. The diagnostic can be performed after the deadline or in anticipation of the deadline.
Information on how to perform the diagnostic can be found here, under the header “Diagnostic Options.”
PPAI recommends consulting with your organization’s information technology manager or staff member who handles software operations if you are unsure of whether this deadline will affect your email systems. PPAI has also stated and continues to endorse multi-factor authentication to protect your business.
After December 31, 2022, the move away from Basic Auth will become permanent for Exchange Online protocols with no possible extension.
The Promo Angle
Like other businesses, a large number of promotional products companies use the Microsoft suite for their office needs. And like other businesses, promo companies are potential targets for cybercriminals.
A number of industry companies have been affected by targeted attacks in just the last year.
- In May, Washington-based distributor Color Graphics was the victim of a fraudulent order that cost it $35,000.
- The same month, HanesBrands was hit with a ransomware attack.
- Earlier this the year, The White House urged companies to take additional steps to protect against cyberattacks.