Get Started Free

4.7 Legacy Authentication Detection

60 minutes · Module 4 · Free

Legacy Authentication Detection

Legacy authentication protocols — IMAP, POP3, SMTP, Exchange ActiveSync, Autodiscover — authenticate with username and password only. They do not support MFA, conditional access device checks, or token protection. For an attacker who has obtained credentials through phishing, legacy authentication is a direct path to the mailbox with no security controls in the way.

This is the single highest-impact hardening action for most organisations

Blocking legacy authentication via conditional access eliminates an entire class of credential-based attacks. If your organisation has not deployed this policy, prioritise it above almost everything else. The queries in this subsection help you assess your current legacy auth usage and plan the transition.

Discover legacy authentication in your environment

Before blocking, you need to know what is using it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

SigninLogs
| where TimeGenerated > ago(30d)
| where ClientAppUsed in ("Exchange ActiveSync", "IMAP4", "POP3",
    "Authenticated SMTP", "Other clients", "Autodiscover")
| summarize
    SignInCount = count(),
    Users = dcount(UserPrincipalName),
    UserList = make_set(UserPrincipalName, 10)
    by ClientAppUsed
| sort by SignInCount desc

This shows every legacy protocol in use, how many sign-ins each generates, and which users are using them. The UserList identifies the specific accounts that need to be migrated to modern authentication before you can block legacy auth.

Common legitimate legacy auth users

User typeProtocolMigration path
Multifunction printersSMTPConfigure to use OAuth or use a dedicated send connector
Older mobile devicesExchange ActiveSyncUpgrade device or use Outlook Mobile
Line-of-business appsIMAP/POP3Reconfigure to use OAuth, or create a specific CA exclusion
Service accountsSMTP/IMAPMigrate to app registration with Graph API
Block first, exclude the exceptions

The safest approach: create a conditional access policy blocking legacy authentication for all users, then add specific exclusions for the accounts identified above. This ensures new users and new services default to modern authentication. The exclusions should be reviewed quarterly and removed as legacy services are migrated.

Detect attackers using legacy auth after credential theft

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

SigninLogs
| where TimeGenerated > ago(7d)
| where ClientAppUsed in ("IMAP4", "POP3", "Authenticated SMTP")
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| project TimeGenerated, UserPrincipalName, ClientAppUsed, IPAddress, Country
| join kind=anti (
    SigninLogs
    | where TimeGenerated > ago(30d)
    | where ClientAppUsed == "Browser" or ClientAppUsed == "Mobile Apps and Desktop clients"
    | where ResultType == 0
    | distinct UserPrincipalName, IPAddress
) on UserPrincipalName, IPAddress
| sort by TimeGenerated desc

This query finds successful legacy auth sign-ins from IPs that have never been seen in modern authentication for the same user. If a user normally signs in via a browser from London, but IMAP4 access appears from Lagos, the credentials are compromised and the attacker is using IMAP to bypass MFA.

Check your understanding

1. Why can an attacker with stolen credentials access email via IMAP even when MFA is required?

IMAP has its own MFA system
IMAP authenticates with username and password only — it does not support the MFA challenge flow. Conditional access cannot enforce MFA on protocols that do not support it.
The attacker disabled MFA

2. Your legacy auth discovery query shows 3 users with IMAP access. What should you do before blocking legacy auth?

Block immediately — 3 users is not many
Wait until they stop using it
Identify why those 3 users need IMAP, migrate them to modern auth or create a narrow exclusion, then block for everyone else
← 4.8 Token Replay Investigation 4.6 Conditional Access Analysis →