Microsoft Exchange Online Deprecates SMTP AUTH Basic Auth

Microsoft is ushering in a major security shift for cloud email customers, with Exchange Online preparing to deprecate SMTP AUTH Basic Authentication across all tenants.

The change targets one of the oldest and weakest ways to sign in to email systems, where usernames and passwords are sent in clear form that attackers can easily steal if traffic is intercepted or credentials are reused.

For years, threat actors have abused SMTP AUTH with basic auth to brute-force passwords, run password-spraying campaigns, and hijack accounts to send phishing and spam at scale.

In response to this ongoing abuse, Microsoft researchers identified basic authentication for SMTP as a persistent weak point in many tenants, especially where legacy applications, devices, and scripts still rely on old protocols that do not support modern security controls.

Once attackers gain valid credentials for SMTP AUTH, they can send email as a trusted user, bypassing many security filters and damaging an organization’s reputation and email deliverability.

This makes deprecating basic auth not just a protocol cleanup, but a critical step in hardening cloud email.

Microsoft analysts further noted that SMTP AUTH basic sign-ins often lack strong safeguards such as multi-factor authentication (MFA) and conditional access, leaving organizations exposed even when other parts of their environment are locked down.

Because SMTP AUTH basic auth is frequently enabled “just to keep things working” for printers, line-of-business systems, and third-party tools, it has become a favorite target for attackers looking for the weakest link.

By forcing a move away from basic auth, Microsoft aims to close this long-standing security gap before more tenants suffer account takeover and downstream compromise.

Under the updated timeline, SMTP AUTH Basic Authentication will remain unchanged until December 2026, giving organizations time to discover and modernize all workflows that still depend on it.

At the end of December 2026, it will be disabled by default for existing tenants, though administrators will still be able to re-enable it temporarily while migrations complete.

For new tenants created after December 2026, SMTP AUTH Basic Authentication will be unavailable by default, with OAuth-based modern authentication as the supported method.

Infection Mechanism: How Attackers Abuse SMTP AUTH Basic

In practice, attackers treat SMTP AUTH basic auth as an easy entry point rather than a traditional malware infection path.

They commonly use automated tools to perform password spraying and credential stuffing against SMTP endpoints, trying large sets of weak or reused passwords across many accounts until one succeeds.

Once valid credentials are found, they authenticate via SMTP with basic auth and begin sending high-volume phishing or business email compromise (BEC) messages that appear to come from inside the victim’s organization.

From there, malicious mail can carry links to payloads, steal more credentials, or trick users into fraudulent payments, turning a single weak protocol into a broad compromise channel.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.