🧟‍♂️ Legacy Authentication: The Zombie Protocol Haunting Your Network

Written By Emily Lents

“It’s old, insecure, and still very much alive in your environment.”

Published: April 29, 2025 Last Updated: April 30, 2025

At Ferrous Equine Technologies, one of the most common—and alarming—findings in our security assessments is the presence of legacy authentication still enabled in modern environments. It’s not just a nuisance. It’s a massive, often invisible, security gap.

Despite companies rolling out MFA, endpoint protection, and conditional access, legacy authentication allows attackers to bypass it all with a simple brute-force script or a credential dump from the dark web.

Let’s break it down.

🧠 What Is Legacy Authentication?

Legacy authentication refers to older protocols and authentication methods that pre-date modern identity protection features. These protocols were never designed to enforce:

  • Multi-Factor Authentication (MFA)

  • Conditional Access Policies

  • Real-time risk evaluation

  • Device health or compliance checks

They simply accept a username and password—full stop.

Examples of Legacy Authentication Protocols:

  • SMTP, POP3, and IMAP4 (used in email clients, scanners, etc.)

  • MAPI over HTTP (used by older Outlook clients)

  • Exchange ActiveSync (common with mobile devices)

  • Basic Auth over PowerShell

  • Remote PowerShell / WS-Management (WinRM)

  • NTLM and older Kerberos implementations in hybrid or on-prem AD environments

Many of these protocols remain enabled by default in Microsoft 365 and Exchange Online—even in environments using MFA.

🔓 Why It’s So Dangerous

❌ MFA Is Useless Against Legacy Auth

Modern MFA doesn’t apply when legacy protocols are used. A compromised username and password is all it takes. Even environments with 100% MFA coverage are still vulnerable if Basic Auth is left enabled.

🥷 Credential-Stuffing Paradise

These protocols are ideal for automated brute-force attacks. Microsoft reports that over 97% of password spray and credential stuffing attacks target legacy auth endpoints. The attacker doesn’t need a phishing campaign—they just need an unmonitored IMAP login.

🧼 Conditional Access Doesn’t Apply

Azure Conditional Access only applies to modern authentication requests. That means policies like “require compliant device,” “block legacy browsers,” or “enforce geographic restrictions” don’t apply. Legacy auth quietly sails around those gates.

📡 It’s Everywhere—Even If You Think It’s Not

Legacy protocols are often enabled to support:

  • Printers and copiers scanning to email via SMTP

  • Mobile mail apps like native iOS Mail using IMAP

  • Service accounts used by automation tools

  • Legacy applications hardcoded with basic credentials

  • Remote PowerShell connections for M365 scripts

  • Old Outlook clients (pre-Office 2016)

These get forgotten—until they get exploited.

🔍 Real-World Example: MFA Rollout Gone Wrong

During a recent client engagement, we rolled out MFA for all users in a healthcare environment. Within days, login alerts spiked—not because of MFA failure, but because attackers were still hammering legacy IMAP endpoints.

Even though users were "protected" by MFA, over 30% of accounts were still accessible through unmonitored legacy protocols. Service accounts, mobile apps, and printer SMTP were all culprits. Fortunately, we caught it. But it proved one thing: You can’t secure what you don’t see.

🛠️ How We Fix It at Ferrous Equine Technologies

We take a zero-compromise stance on legacy authentication. Here's how we help clients shut it down—safely.

Step 1: Audit Legacy Auth Usage

Using Microsoft Sign-In Logs, EntraID Workbook Reports, and PowerShell, we identify all legacy authentication activity across the tenant. This includes:

  • Top protocols in use (IMAP, SMTP, MAPI, etc.)

  • Accounts accessing services using basic auth

  • IP addresses and locations of origin

  • Third-party services relying on legacy connections

Step 2: Plan for Safe Decommissioning

We’ll map out which services are still dependent on legacy auth—and offer mitigation plans:

  • Migrate printers and scanners to secure relay via Exchange Online or authenticated SMTP

  • Replace or modernize service accounts

  • Upgrade any outdated clients (Outlook 2010/2013, legacy PowerShell)

  • Implement App Password reviews for hybrid users

Step 3: Block Legacy Auth with Conditional Access

Once safe, we implement a Conditional Access policy to block all legacy authentication attempts across the tenant:

powershell

CopyEdit

New-CASMailboxPlan -Name "Block Legacy Auth" -ImapEnabled $false -PopEnabled $false -MAPIEnabled $false -ActiveSyncEnabled $false

We can also do this per user, per group, or as a blanket tenant policy, depending on your organization's size and complexity.

Step 4: Monitor and Report

Even after it’s disabled, attackers may continue trying to use legacy endpoints. We monitor for failed sign-in attempts and help your team interpret and respond to those patterns via SIEM integration or Microsoft Defender for Cloud Apps.

🔮 Looking Ahead: Microsoft Is Phasing It Out (But Not Fast Enough)

Microsoft has deprecated basic auth for Exchange Online, but only for new tenants as of October 2022. Older tenants still have it enabled unless it's been manually turned off.

Even now in 2025, many hybrid and migrated environments still run with legacy protocols enabled. If you haven’t turned it off yet—you are still exposed.

🧟‍♀️ Don’t Let Zombie Protocols Linger

Legacy authentication is like a zombie in your system—long past its expiration date, but still dangerous if left unaddressed. Just because you don’t see it, doesn’t mean it’s not creating risk.

You may have MFA, you may have Conditional Access, but if you’ve still got IMAP and SMTP Basic Auth humming in the background—you’ve got an open gate.

👋 Ready to Kill Off Legacy Auth?

Let us assess your environment and help you bury it for good.

Emily Lents
Previous

🔐 MFA or Bust: Why Passwords Alone Are a Cybersecurity Joke