If you’ve had your Microsoft 365 account for a while, you may have had SMTP Auth enabled by default. Most email clients no longer need SMTP Auth enabled, disabling it can also reduce your attack surface significantly. I have seen audit logs in Microsoft Entra tenants where there are relentless attacks via SMTP Auth regardless of if you have Multifactor Authentication methods setup.

You can check these by going to Microsoft Entra Admin Center selecting Users>Sign-in logs and filtering by Failure. In the columns option add “Client App” so you can see which client this failed on. If you see SMTP, you know this is being used as an attack vector.

Image showing Entra user admin page with sign-in logs screen. demonstrating how to add more columns and filter by failed requests.

You can block SMTP Auth on individual user accounts from the Microsoft 365 Admin Centre. Select Users > Active users select the user select the Mail tab and then Manage email apps.

Shows a list of email apps that can be disabled on a users account in Microsoft 365

Or if you are sure you no longer need SMTP in your organisation (ie think printers that email scans to you), you can turn off SMTP Auth for your organisation all together in the Exchange admin center under Settings > Mail flow settings. You will find “Turn off SMTP AUTH protocol for your organisation” under the Security heading.

You can read more about the Depreciation of Basic Authentication in Exchange Online here https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online