In case you don’t follow the EHLO blog, a recent announcement discussed some upcoming security changes to the Exchange Online service. Microsoft will be disabling SMTP AUTH in all new Office 365 tenants. They are also identifying current tenants that do not make use of the protocol for sending any messages and disabling SMTP AUTH for them. If your tenant is targeted for this operation, you will receive a notification from Microsoft.
Why is Microsoft doing this?
SMTP AUTH is a legacy protocol that is used to submit email messages to an SMTP server. Attackers target legacy protocols because they are less secure. Password spray, a brute force attack where a malicious actor attempts to gain unauthorized access to a single account by guessing the password over and over until successful, will often target legacy protocols. Disabling SMTP AUTH reduces your organization’s attack surface, making you more secure.
Note: One of the best things you can do to prevent account compromise in Office 365 is to enable Multi-Factor Authentication on your accounts. That said, don’t stop there.
What can you do?
Let’s get proactive. You can make these changes ahead of time without waiting for Microsoft to do it for you. Blocking legacy protocols makes your organization more secure. With Internet-based criminal activity at an all-time high, there’s no reason to wait. First, you’ll want to inventory all devices or applications that send mail. Either review the specifications yourself or check with the vendor to see if they require SMTP AUTH to send. After blocking SMTP AUTH across the entire org, you will need to selectively enable SMTP AUTH on a per-account basis to allow those devices and apps to continue to function. Once you’re ready, carry out the steps below:
- Disable SMTP AUTH protocol across your entire Exchange Online org. Connect to Exchange Online PowerShell and run:
- Set-TransportConfig -SmtpClientAuthenticationDisabled $true
- Configure individual accounts to override the organization setting. Connect to Exchange Online PowerShell and run:
- Set-CASMailbox -Identity email@example.com -SmtpClientAuthenticationDisabled $false
(You’ll need to change firstname.lastname@example.org to the identity of your specific mailbox.)
You can find the Microsoft documentation for these operations here. If you need help with this (or other initiatives), reach out to speak with an expert. We are happy to help!