Archives: October 17, 2023

Microsoft Entra, check your Sign-in logs for SMTP Auth

If you’ve had your Microsoft 365 account for a while, you may have had SMTP Auth enabled by default. Most email clients no longer need SMTP Auth enabled, disabling it can also reduce your attack surface significantly. I have seen audit logs in Microsoft Entra tenants where there are relentless attacks via SMTP Auth regardless of if you have Multifactor Authentication methods setup.

You can check these by going to Microsoft Entra Admin Center selecting Users>Sign-in logs and filtering by Failure. In the columns option add “Client App” so you can see which client this failed on. If you see SMTP, you know this is being used as an attack vector.

Image showing Entra user admin page with sign-in logs screen. demonstrating how to add more columns and filter by failed requests.

You can block SMTP Auth on individual user accounts from the Microsoft 365 Admin Centre. Select Users > Active users select the user select the Mail tab and then Manage email apps.

Shows a list of email apps that can be disabled on a users account in Microsoft 365

Or if you are sure you no longer need SMTP in your organisation (ie think printers that email scans to you), you can turn off SMTP Auth for your organisation all together in the Exchange admin center under Settings > Mail flow settings. You will find “Turn off SMTP AUTH protocol for your organisation” under the Security heading.

You can read more about the Depreciation of Basic Authentication in Exchange Online here https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online


SignalR not firing all client events

This is more for my own reference, so I can come back to it later, hopefully its also helpful to others.

I saw some odd behaviour with SignalR where a client was not receiving messages from the server or would fire some client messages but not others. Refreshing the page solves it but on the first time visit to the page the problem starts again.

After a lot of debugging it appears the problem is caused by placing your SignalR client code after the connect start code in your client. So if you are using a JavaScript client, ensure you place the SignalR connection start code after all of your SignalR client code.