One way attackers wiggle into Microsoft Exchange Online is through systems that have Basic Authentication enabled. Account compromise rates in tenants who have disabled legacy authentication are significantly lower than overall rates. Microsoft has announced it will turn off Basic Authentication for Exchange Web Services on October 13, 2020.
Last week Microsoft went one better and announced it will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online on the same date. Any application using OAuth 2.0 to connect to these protocols will continue to work without change or interruption. I’ve already recommended that you disable Basic Authentication to beef up security in Office 365.
What should you do now if you have Office 365? Start by moving away from the native email applications on Android and Apple iPhones and moving people to the Outlook applications. If you are planning a move to Office 365 away from on-premises Exchange, you should move people over to the application now. The application supports additional protocols and email platforms, so if your users receive personal email as well as the firm email on their phones, you can migrate all email over to Outlook.
There are several ways to handle the migration. Smaller firms can send out communication to your clients and instruct them on how to find the application in the app store on the phones, download it, and then set up their email account on the new application. If Autodiscover is set up properly, all you need do is inform people to download the application, enter their email address and password, and the application will connect to the appropriate mail server.