If you’re still allowing legacy authentication protocols like IMAP or POP3, you’re handing attackers a bypass around your MFA. It’s like putting up a reinforced steel door but leaving a side window wide open. I’ve seen too many sophisticated phishing campaigns succeed simply because an organization overlooked this basic hardening.
The problem is simple: these older protocols were never designed with modern security in mind. They don’t understand MFA, and therefore, they let attackers in if they get a username and password. This isn’t theoretical; it’s a common initial access vector for credential stuffing and brute-force attacks.
The fix? Turn them off. Immediately. For Azure AD, you’re looking at configuring authentication policies to block these protocols. Specifically, set up an Azure AD Conditional Access policy targeting “Legacy authentication clients” and apply the “Block access” control. This is a critical control, not an optional one.
This is a fundamental security hygiene step. If you’re not doing this, you’re leaving a massive attack surface exposed. Don’t wait for the breach.
The fix
# Create Conditional Access policy to block legacy auth:
# Entra ID → Conditional Access → New Policy
# Conditions → Client apps → Select "Exchange ActiveSync" + "Other clients"
# Grant → Block access
Reference: CIS Azure Foundations Benchmark 1.1.3