How to make sense of Microsoft’s upcoming mail security changes







With Microsoft about to shut off some versions of Outlook from access to Microsoft 365 and Outlook 365 services — that happens Nov. 1 — it’s important to remember this isn’t the only change coming for Outlook. A second change scheduled for next year may have a bigger impact on how you connect your email client — and may affect other email apps, too.

Because it could affect many users and businesses, Microsoft is giving everyone fair warning — a year in advance. On Oct. 1, 2022, Microsoft will be disabling basic authentication for its online mail services. This isn’t the first time the company has warned us about this. It had planned to disable authentication earlier this year before realizing it couldn’t do so without impacting businesses and users still struggling amid the pandemic. Hence, the delay.

So just what is basic authentication? It’s what we’re used to already — access by username and password to old-fashioned Post Office Protocol or “pop” email, where you log in and download emails to your computer. You might think POP access using basic authentication should be secure enough, assuming you don’t click on malicious links, do keep your computer up to date, and use a secure browser.

As it turns out, attackers can use weaknesses built into this older protocol to break into online mail servers. As long as those mail servers have to support these older protocols, attackers can use any number of brute force attacks and other devious methods to break into your mailbox. (If you have an easy-to-crack password, an attacker can use dictionary attacks to eventually guess your password.)

The ins and outs of POP3 and IMAP

POP3 is one of the oldest mail protocols around. Originally described in 1984 in RFC 918, it was followed by POP2 in 1985 in RFC 937. Then POP3 arrived in 1988 with RFC 1081. It was designed to support offloading emails from the mail server to a local email client. Once the emails are downloaded, you can opt to leave copies on the server or delete them. It was designed at a time when mail server operators wanted users to get emails off their servers to save space. In the last 10 years, Internet Message Access Protocol (IMAP) has risen the forefront, though POP3 remains in use.

Note: the new changes will not impact SMTP auth. This is typically used in businesses to connect devices such as printers and copiers so that they can send out scanned documents. If you use Microsoft 365 and rely on SMTP AUTH to connect your scanners, this should continue to work. If, by chance, you find SMTP AUTH isn’t working after the October 2022 change is rolled out, you can re-enable it with the following cmdlet.

To enable it tenant-wide on your account, go into Exchange PowerShell:

Set-TransportConfig -SmtpClientAuthenticationDisabled $True

To enable SMTP auth for specific mailbox:

Set-CASMailbox -Identity “ -SmtpClientAuthenticationDisabled $False

In addition, as Microsoft notes in its blog post, there will still be an opt-in endpoint to allow SMTP AUTH clients to authenticate using legacy TLS for devices.

To take advantage of this new endpoint, admins will have to:

Set the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet to True.

(Legacy clients and devices will need to be configured to submit using the new smtp-legacy.office365.com endpoint to connect.)

If you rely on legacy protocols from all sorts of devices, it can often be easier to use a third-party solution such as smtp2go.com; it allows you to set up a static IP address that is allowed to email. That way, you can easily set up older devices to still use email without lowering the security of your Microsoft 365 implementation.

If you’re an individual user not running Microsoft 365 as your mail platform, you still may be affected by the coming changes. Many Internet Service Providers use Microsoft 365 as their rebranded mail platform, and many other ISPs are following suit because basic authentication exposes mail servers to hacking. (Many providers have already moved to different platforms.) How do you know if you are still using basic authentication? That’s actually easy to determine: check your email settings to see whether they show you’re using POP3 or IMAP as your mail server protocols. If so, you’re still using basic authentication.

Another way to see what you’re using is to look at the authentication graphic offered up to you. (You can see examples of this by scrolling on several blogs here and here that showcase the older basic authentication connection.)

Overall, what’s the best way to deal with these changes?

What to do now

First, determine whether you will be affected. If you already use a web interface to log into your email and don’t use an email application at all, you will not be impacted. In that case, you’re basically relying on whatever authentication the web interface supports. If you use an application such as Outlook, Thunderbird, Ebird or other email clients, you may need to redo your email account to trigger the app to set up your account with modern authentication protocols. Reach out to your email provider to see if they are planning to make any changes. If you are affected, you can always use your ISP’s web interface to read email until you settle on a long-term solution.

Long term, it’s wise to not use either POP3 or IMAP in email. They’re used too often by attackers to gain brute-force access mail servers. Change is hard and moving to a new email platform is disruptive, but so are successful email attacks. Plan ahead now to deal with the changes coming.

<