Just How Risky is Legacy Authentication?

Brett Winterford

Does your organization still allow users to authenticate to Office 365 or other Microsoft services using only a username and password?

If you do, you’re 53x more likely to be targeted in credential-based attacks. (No, not 53% more likely. It’s 53 times more likely).

Many organizations (at least one in ten Microsoft customers, as of October 2021) still allow access to the M365 cloud using what Microsoft calls “Legacy Authentication”. In these requests, the client forwards the username and password with the request to the cloud service provider during sign-in. There’s no OAuth2 compatibility, which means no opportunity to apply multi-factor authentication or the rich variety of access policies designed to protect users from common credential-based attacks. 

Accounts using legacy authentication are easy pickings for attackers. Billions of stolen usernames and passwords from previous breaches are freely available on online forums (and routinely refreshed for a fee). The “point and shoot” tools to re-purpose them in credential stuffing attacks are cheap and easy to source. 

Credential stuffing is a reliable form of attack because the best of us - even when we know we shouldn’t - reuse passwords across different services.

The tools used in credential stuffing and password spray attacks are in the armoury of every category of attacker, and it isn't limited to those motivated by profit.

In April 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that SVR, an agency of Russia’s Foreign Intelligence Services, has been targeting M365 accounts with legacy authentication enabled using “low and slow” password spray attacks since at least 2018.

Compromised victims had:

“enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication."

The FBI noted that this was:

“achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple’s mail client and old versions of Microsoft Outlook.”

In July 2021, Microsoft warned its customers that attackers linked to the Islamic Republic of Iran compromised ~20 organizations in credential stuffing attacks, again by targeting Office365 tenants that allow legacy authentication. Alarmingly, these attackers appeared to have hit a success rate close to 15% (cybercrime groups are known to profit at success rates far lower than 1%).

So this year, when I was asked to provide some observations about the threat landscape for Okta’s annual Businesses At Work report, I recommended they focus on this well-known risk that continues to go unaddressed in too many places. 

My colleague Matt Shancer calculated how often Okta ThreatInsight flagged legacy authentication requests as suspicious, and compared that to requests made using modern authentication. 

ThreatInsight, for those unfamiliar, is Okta’s native capability for detecting high-volume credential-based attacks. Customers can configure ThreatInsight to block these requests before the attacker gets the chance to authenticate.

The results were emphatic. ThreatInsight detections fire far more often on requests made to M365 using legacy authentication. Adversaries specializing in high volume, credential-based attacks (“account checking” services, so to speak) are targeting these services.

This is only one measure of how often these services are targeted. We can confidently say that there is a material reduction in risk available to organizations that disable legacy authentication: while the numbers vary by industry, we found that the average reduction in the ratio of detected threats to legitimate authentications exceeds 99%.

This reduction in risk is amplified when you add the protection multifactor authentication and risk-based access policies offer your users. Academic studies have demonstrated that risk-aware MFA blocks 99.9% of automated, credential-based attacks. 

So if you’re looking to prioritise security projects proven to reduce the risk of compromise, this is an obvious one. Microsoft has (again) set a new date for when it intends to disable legacy authentication to Office 365: October 1, 2022. Every customer of Microsoft cloud services should be assessing their exposure to legacy authentication over the weeks ahead. This requires making sure modern authentication is enabled AND that legacy authentication is disabled.

This post is the second in a three-part series. See our first post, "Auditing your Org for Legacy Authentication"

Brett Winterford
Regional CSO, Okta APJ

Brett Winterford is the regional Chief Security Officer for Okta in the Asia Pacific and Japan. 
He advises business and technology leaders on evolving threats and helps them harness advances in identity technology to drive business outcomes and mitigate risk.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.
Brett is also an award-winning journalist, having long ago been the editor-in-chief of iTnews Australia and a contributor to ZDNet, the Australian Financial Review and the Sydney Morning Herald. Most recently, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the Risky Business podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly brief of the news that shapes cyber policy.