COVID-19 causes rise in cyberattacks. How to close a dangerous security loophole. 

The number of cyberattacks has increased dramatically since the start of the COVID-19 pandemic. 

In the first quarter of 2020, fraud prevention specialists Arkose Labs recorded the highest ever number of attacks, with 445 million cyberattacks taking place within this period. 

“As face-to-face interactions dwindle, digital attack vectors are multiplying at a record rate, creating almost perfect working conditions for fraudsters, who are grasping every available opportunity to exploit both individuals and enterprises during the crisis,” warned Vanita Pandey, Vice President of Strategy at Arkose Labs. 

Hackers and malicious third parties have never posed a bigger threat to your business, so it’s vital that you take the steps to protect your confidential company data and accounts. 

In this article, we’ll show how to reduce your chances of being hacked by 67%, while also blocking 99.9% of password-based security breaches. 

By the end of this article, you’ll have implemented policies that protect your business against over 99% of password spray attacks, 97% of credential stuffing attacks, and reduced the likelihood of your accounts being compromised by almost 70%. 

Legacy authentication may be undermining your MFA policies

If your business does suffer a data breach, then the consequences can be disastrous. 

The average data breach costs an organization $3.92 million, with 20% of businesses losing customers during an attack and 60% of SMBs closing their doors following a successful cyberattack

The stakes are high, but there’s an easy way to protect your business against almost all password-based attacks. 

Multi-Factor Authentication (MFA) is a security system where users must pass an additional security check before accessing any confidential data, applications or other sensitive resources. For example, an employee may need to enter their regular password and then enter a one-time PIN code that’s sent to their smartphone, before they can access their account. 

Used correctly, MFA can help protect your business against the 7 trillion cyber threats that Microsoft successfully identifies and blocks every single day. However, there’s a dangerous security loophole that can completely undermine all of your company’s MFA policies and expose your business to potential data breaches. 

Legacy authentication protocols such as POP, SMTP, IMAP and MAPI do not support MFA. If your employees can access their account via legacy protocols, including older Microsoft Office apps and clients, then an attacker could potentially use this legacy authentication loophole to bypass all of your MFA protection, and gain access to your corporate accounts. 

In this article, we’ll show you how to close this dangerous security loophole and ensure that MFA really is protecting your business against 99.9% of password-based attacks. 

Blocking legacy authentication the easy way

Microsoft themselves has acknowledged that legacy authentication undermines the effectiveness of an MFA strategy. To help keep their customers safe, Microsoft has created a set of security defaults that make MFA mandatory across your organization, while also disabling legacy authentication. 

If you’re not already using MFA, then security defaults is a quick and easy way to protect your business against data breaches. Just flick the “security defaults” switch and your employees will be asked to activate MFA the next time they log into their Office 365 account, and will also be unable to access their account using legacy authentication methods. 

Since it’s quick, easy and secure we’d recommend enabling security defaults wherever possible. However, for some businesses it may not be practical to simply enforce MFA and disable legacy authentication for every single user across your organization. If you need more fine-grained control over your legacy authentication settings, then skip ahead to the next section where we explore an alternative approach. 

To enable Office 365’s security defaults: 

● Head over to the Azure Active Directory and sign into your admin account. 

● In the left-hand menu, select “Properties.” 

● Select “Manage Security defaults.’ 

● In the panel that appears, find the “Enable Security defaults” slider and push it into the “Yes” position. 

● Click “Save.” 

Need more information about MFA, including a step-by-step walkthrough of how your employees can activate MFA using their smartphone or tablet? Check out our complete guide to Multi-Factor Authentication. 

Help! My business can’t block all legacy authentication protocols 

To keep your corporate apps and data secure, we recommend blocking all legacy authentication methods, for all users. However, it’s not always possible for businesses to simply block legacy authentication at an organization-wide level. For example, some mobile clients use IMAP or POP3 to read email from the user’s mailbox, so blocking legacy authentication protocols could prevent some of your employees from accessing their email. 

In these scenarios, you can block legacy authentication protocols for specific employees or groups, using Conditional Access. 

Conditional Access: Identify legitimate legacy authentication use 

Do you suspect that some of your workforce may have a legitimate reason for requiring access to legacy authentication protocols? 

Before configuring your Conditional Access, you should analyze how your employees are currently using legacy authentication protocols and then use this information to inform your Conditional Access policies. 

Azure Active Directory records every sign-in attempt made using legacy authentication methods. By reviewing this record, you can identify the employees who are still reliant on legacy authentication, and should therefore be exempt from your Conditional Access policy: 

● Log into Azure Active Directory using an admin account. 

● In the left-hand menu, select “Sign-ins.” 

● Select “Add filters > Client App.”

● Select all the “Legacy Authentication Clients.” 

Azure Active Directory will now display every sign-in attempt that was made using legacy authentication methods. You can use this information to identify employees who are still reliant on legacy authentication, and gauge whether they have a legitimate reason for continuing to use legacy authentication. 

To help protect your confidential corporate data and accounts from malicious third parties, we recommend disabling legacy authentication for all users who aren’t reliant on legacy authentication methods. 

Implement a Conditional Access policy 

Once you’ve identified the employees who do, and do not require access to legacy authentication, you’re ready to create your Conditional Access policy: 

● Head over to the Conditional Access area of Azure Active Directory. 

● Select “New Policy.” 

● Give your policy a name. 

● In the left-hand menu, select “Conditions.” 

● In the subsequent menu, select “Client apps.”

● Find the “Configure” slider and push it into the “Yes” position. 

● Select “Mobile apps and desktop clients.” 

● Select “Exchange ActiveSync clients” and “Other clients.”

● We only want to apply this Conditional Access policy to applications that use legacy authentication, so deselect “Modern authentication clients.” 

● Click “Done.” 

● In the left-hand menu, find the “Access controls” section, and then select “Grant.”

● In the subsequent panel, navigate to “Block Access > Select.” 

● In the left-hand menu, select “Users and groups.” 

You can now use the “Include / Exclude” tabs to specify who this Conditional Access policy should, and should not apply to: 

● Include. These employees will no longer be able to access their account using legacy authentication methods. 

● Exclude. These employees can continue using legacy authentication methods. 

To ensure you don’t accidentally lock your entire organization out of your tenant, you’ll need to exclude at least one user from your Conditional Access policy. 

You should spend some time exploring the “Include / Exclude” tabs, to identify the approach that makes the most sense for your particular organization. 

Rather than immediately blocking legacy authentication for all employees who fall into the “include” category, you can evaluate the impact this Conditional Access policy will have on your users, by enabling report-only mode. In report-only mode, Azure Active Directory will record every sign-in attempt and specify whether this sign-in would have been blocked or permitted by the new Conditional Access policy. 

To enable report-only mode, select “Enable policy: Report-only,” and then click “Create.” 

Analyze your sign-in reports with Azure Active Directory 

Once report-only mode is enabled, Azure Active Directory will start recording data about each sign-in attempt. Your admin can evaluate these sign-in attempts, by logging into their Azure Active Directory account: 

● Head over to Azure Active Directory. 

● In the left-hand menu, select “Sign-ins.” You’ll now see a record of all sign-in attempts. 

● Select the “Report-only” tab. 

Find the Conditional Access policy that you created to block legacy authentication, and check its accompanying “Result” value. The possible values are: 

● Success. All configured policy conditions, required non-interactive grant controls, and session controls were satisfied. 

● Failure. All configured policy conditions were satisfied, but not all the required non-interactive grant controls or session controls were satisfied. 

● Find the sign-in attempt that you want to examine, and give it a click. 

● User action required. All configured policy conditions were satisfied but the user would normally be required to take action in order to satisfy the required grant controls or session controls. Note that in report-only mode, the user isn’t prompted to satisfy the required controls. 

● Not applied. All configured policy conditions were not satisfied. 

By monitoring this report, you can identify specific instances where your Conditional Access policy could cause issues. You can then use this information to either modify your Conditional Access policy, or to identify users who may need some help migrating away from legacy authentication methods. 

To modify your policy, head over to the Conditional Access area of Azure Active Directory, select the policy in question and then make your changes. 

When you’re ready to make your policy live, drag the “Enable policy” slider into the “On” position, and then click “Save.”


Claim your complimentary cloud migration package

Let us help you migrate to the cloud, with 6 months free access to Office365 plus a guided migration led by our team of specialist engineers.

Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog...

We will only use your email to send you new blog posts.