Since the start of 2023, RM Unify monitoring has detected an increased number of automated attempts to 'brute force' Microsoft® 365™ email accounts by repeated attempts to guess the account password.

The main route used for these password-cracking attempts is via the SMTP AUTH (authentication) protocol. This is a legacy email protocol used to connect older desktop/smartphone email apps to an email service like Microsoft 365 (Exchange Online), or Google Workspace, but is increasingly being used by attackers to test thousands of user passwords in the hope of getting one right.

For example, in January 2023 alone, less than 3% of SMTP authentication requests were valid and successful. This equates to over five million failed attempts, which indicates bad actors (hackers) attempting 'brute force' attacks from countries such as Russia, China and Mexico. Obviously, these are not authentic requests from genuine users and present a very serious threat to the stability of the RM Unify platform and our users' Microsoft 365 and Google domains, user accounts and data.

As a result of this threat, we have decided to disable support for the SMTP AUTH protocol within RM Unify. This means where a Microsoft 365 or Google domain (e.g. stmarys.sch.uk) is federated to RM Unify, any SMTP authentication requests for a user account on that domain (e.g. scanner@stmarys.sch.uk) will be dismissed by RM Unify unless by prior agreement with us. We will cease to support SMTP authentication in its entirety from the end of August 2023.

Whilst the change is necessary, we have not taken this decision without consideration. We are aware that disabling SMTP AUTH will inconvenience some customers who use devices and services that still use SMTP authentication, such as printer monitoring software (e.g. PaperCut), scanners, printers, etc. which are configured with RM Unify-federated Microsoft 365 or Google accounts. However, maintaining the security and availability of RM Unify has to be our highest priority.

Microsoft also highly recommend disabling SMTP AUTH in your Microsoft 365 tenancy.

Where your establishment requires SMTP AUTH via legacy applications such as scanners, printers, etc. and you have not disabled SMTP AUTH in your Microsoft tenancy, you could use a Microsoft 365 account on this service domain (e.g. scanner@stmarys.onmicrosoft.com). Given below are example steps:

1. In the 'Microsoft 365 admin center', sign in as a global admin user.
2. Select Users, 'Active users', 'Add a user'.
3. Complete the user details as needed and in the Domains field, select a domain that is not federated to RM Unify. RM recommends using the Microsoft 365 service domain, which ends in '.onmicrosoft.com.'
4. Select Next.
5. Assign a licence as required. The account will need an Exchange Online licence if it is to be used for sending emails.
6. Select Next, Next, 'Finish adding'.
7. Sign in as the user you just created to confirm it can be accessed and sign out.
8. In the affected device or app requiring SMTP authentication, re-configure the SMTP setting to use the new account created in the previous steps. Please refer to the device/app supplier's instructions on how to do this or request support from your usual support provider.

Where your establishment requires SMTP AUTH via legacy applications or devices such as scanners, printers, etc., you can configure those applications/devices to use an account on an unfederated Google domain in your organisation.

Note: Google super admins on the federated domain do not get prompted to authenticate via RM Unify. However, we do not advise creating additional Google super admins on your federated domain solely to configure your applications/devices; the number of Google super admins in your domain should be kept to a minimum.

1. Sign in to the Google Admin console as a super admin.
2. Select 'Add a new user'.
3. Create a user on an unfederated domain.
4. Sign in as the user you just created to confirm it can be accessed and sign out.
5. In the affected device or app requiring SMTP authentication, re-configure the SMTP setting to use the new account created in the previous steps. Please refer to the device/app supplier's instructions on how to do this or request support from your usual support provider.

Yes, the Azure Manage Portal sign-in logs can be filtered to show which accounts have used SMTP authentication in the last seven days:

1. Sign in to Azure Manage Portal as a Microsoft 365 user with the global admin role.
2. From the leftmost menu, select Azure Active Directory.
3. In the menu that appears, scroll down to Monitoring and select 'Sign-in logs'.
4. In the right-hand pane, select the 'Date:' filter.
5. Select the desired time period and click Apply.
6. Select 'Add filters', select 'Client app' and click Apply.
7. Select the 'Client app:' filter.
8. Under Legacy Authentication Clients, select SMTP and click Apply.
9. In the search results, the User column displays the name of the Microsoft 365 user account. Select each search result for more detailed information.

Note: It is not possible currently to find similar information for user accounts in Google Workspace.

If you decide to disable SMTP AUTH in your Microsoft 365 tenancy, or it has SMTP AUTH disabled already, please see Options 2 and 3 in the following Microsoft article for alternatives for setting up multifunction devices or applications: