If you've implemented multi-factor authentication, you should disable the default basic authentication to make sure attackers can't exploit it. Credit: RayalHristova / Getty Images / Microsoft Attackers will go after weaker credentials and passwords to gain network access. Small businesses often set up shared mailboxes that are used for various functions. If one set of credentials for a shared mailbox is compromised, it could have a wide impact on the company.If you’ve enabled multi-factor authentication (MFA), you might think that you’ve done enough to ensure you are protected. Unless you disable legacy authentication in your Office 365 implementation, however, you are still at risk. Basic authentication is enabled by default in all Office 365 implementations unless you disable it.First, how do you know if your Office 365 still supports basic authentication? Open Microsoft Outlook and look at the authentication window that pops up to ask you for a password. If it looks like the traditional authentication window you’ve seen for years, basic authentication is still enabled. Susan BradleyTraditional sign-in window means basic authentication is still active(Note: All screenshots were taken in June 2019. Given that Office 365 and Azure are fluid platforms, they might look different when you view them later.) Before you disable basic authentication, review what applications are using it. Many applications rely on basic authentication and are not ready to be restricted to modern authentication. Go to the Azure Portal, into the Azure Active Directory and review the sign ins.Click on “Columns,” add client sign-ins to the view and click “OK”. Review for any applications that log in that use older legacy authentication. Some third-party applications that hook into Office 365 may still use basic authentication. For example, the native iPhone mail application still relies on basic authentication. If you disable basic authentication, you might have to set up an iPhone Exchange mail profile after MFA is enabled. To set it up, remove the iPhone Exchange profile, re-add the user account to set up the profile again, and then select “Sign in when prompted”. You will then get the appropriate modern authentication window to trigger the proper authentication process. Susan BradleyReview sign-in activityTo limit the issues you might face, focus on client applications that use Unsupported Exchange ActiveSync and on the categories of Other clients. Narrow in on IMAP, MAPI, older office clients, POP and SMTP as these older applications will expose your Office 365 and Azure Active directory to password spray attacks. Susan BradleyFilter on older authentication techniquesDisabling unneeded authentication is an easy process. Go to the Microsoft Admin Portal. Select a user, go to mail, and then to “Manage email apps”. Susan BradleyManage email appsDisable any authentication processes that you do not need: In particular focus in on disabling IMAP and POP as these two are targeted in password spray attacks. Susan BradleyDisable unneeded appsObviously, disabling IMAP and POP one mailbox at a time is not a viable methodology. Here’s a PowerShell command to help:Get-Mailbox | Set-CasMailbox -PopEnabled $false -ImapEnabled $falseYou may also be able to disable SMTP, but this may depend on other applications. If you can disable all three, then use this PowerShell command: Get-Mailbox | Set-CasMailbox -PopEnabled $false -ImapEnabled $false-SmtpClientAuthenticationDisabled $trueTo ensure that any new account going forward does not have IMAP and POP enabled by default, you might want to disable the authentication proactively. Use this PowerShell command to disable IMAP and POP on any new accounts:Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false Take the time to review if you still need legacy authentication in your Office 365 implementation. If a vendor requires it, ask them what their plans are — or rather were, as they should have been off legacy authentication a long time ago. It’s time to forget the terms IMAP and POP and put them behind us. Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe