This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 12%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL5%3C/text%3E%3C/svg%3E)
We are currently experiencing a significant automated password-spraying attack on the Office 365 Exchange application targeting the accounts of two high-level employees.
The attack started at 1:36 am this morning and is still ongoing. There have been approximately 250 login attempts. The majority of the unauthorized attempts are from countries other than the US, but there are a few from within the US.
Our security protocols in place appear to be sufficient. This could go on throughout the night or even longer.
The attempted sign-ins are being blocked due to the following reasons:
We have Multi-Factor Authentication (MFA) enabled for all users via SMS and the authenticator app.
In addition, I have created a conditional access policy that blocks sign-ins from countries outside of the US. This would be an extra measure to mitigate the risk. I can also apply it specifically to Office 365 Exchange.
I have not enabled this yet, and it is not yet tested.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 43%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Hi,@LM-5132
Thanks for posting your question in the Microsoft Q&A forum.
According to your description, two employees' Exchange accounts were attacked. Your problem is an account login problem. Exchange does not have a secure login setting, it only has a spam security policy. It is recommended that you contact Microsoft Entra ID technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 40%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Hi,
Thanks!
Thank you for your response, Durai.
We have Multi-Factor Authentication (MFA) enabled for all users via the authenticator app.
In addition, I have created a conditional access policy that blocks sign-ins from countries outside of the US.
All the unauthorized attempts are being blocked by Microsoft and are not reaching the conditional access policies.
Are we supposed to let the unauthorized password attempts go on indefinitely? Is there nothing we can do to stop the attempts?
There have been 3000 attempts, and they continue.
The only solution I can think of is to change the UPN (User Principle Name). If I add a "1" or a "#" in front of the UPN, when the bot attempts to sign in, the username is invalid, and the password prompt is never offered. This blocks all attempts, and the user email still works normally.
Is SMTP Auth disabled in ExO? If not it should be.
Or at least disable Basic auth for SMTP submission:
Thank you,
I will look into this.
We do have a conditional access policy that blocks legacy authentication. As for your question, I will need to confirm.
Thank you
Yes, I confirmed SMTP AUTH is turned off.
Thank you