Password spray attacks against Microsoft Exchange users are on the rise, the company warned, urging organizations to put authentication policies in place as a mitigating measure.
In a Tech Community blog post (opens in new tab) while discussing the issue, “the Exchange team” said many of his customers using Basic authentication are being targeted.
“The evidence I see every day clearly indicates that password (opens in new tab) spray attacks are becoming more common,” the blog said. As a result, the team decided to disable Basic Authentication in Exchange Online.
A password spray attack is essentially a brute force attack where threat actors use automation to try as many username/password combinations as possible on the login screen, until they find one working combination. Unlike standard brute force attacks, password spray attacks constantly change usernames, as well as source IPs. That prevents security tools from locking down the targeted accounts.
“It’s essentially a numbers game, and computers are pretty good at numbers. And if attacks continue, it works,” the blog added.
The protocols most frequently attacked are SMTP and IMAP, the researchers said, adding that POP, while third on the list, is far from the top two.
To ensure that only known accounts can use basic authentication with specific protocols, the Exchange team suggests that organizations set authentication policies. “Start with SMTP and IMAP and do it today!” they say.
Brute force attacks are quite popular among threat actors, mainly because people are known to use the same username/password combination for a wide variety of online services.
By compromising one service and stealing the credentials, threat actors can often compromise accounts across multiple platforms, gaining a real treasure trove of data they can identify with (opens in new tab) theft, and in some cases even financial theft.