Last updated on March 26, 2024
If you are using Microsoft Exchange as an email platform in your enterprise and Microsoft Outlook Web App (OWA) as a way for your employees to access emails and calendars, this article will show you how to protect Microsoft Exchange and Outlook Web App logins.
How Do Hackers Hack Exchange and Outlook Web App?
While Outlook Web Access (OWA) might be a convenient solution for your employees, it also introduces additional security risks to your Exchange Server and IT infrastructure. Hackers may try to wedge into your corporate network using the OWA interface. After they do that, they have an easy way onto the rest of your resources.
The most common way of hacking the Outlook Web App (OWA) is by guessing or breaking the password. Brute-force attacks involve the hacker trying every possible combination of characters as the user’s password until there is a match. Sometimes hackers only try the most common character combinations, which narrows down the number of passwords they have to try.
How Do Hackers Obtain Exchange and Outlook Web App User Emails?
To even begin thinking about brute-forcing an OWA account, a hacker must first get the account’s email address. Unfortunately, this is easier than you may think. Corporate email addresses are easy to find on the internet. Before conducting an attack, hackers usually scan internet blog posts, corporate websites, social media, and other websites in search of email addresses to run brute-force attacks against. Hackers can also use various forms of social engineering to get the email addresses of employees in a company.
How to protect Microsoft Exchange and Outlook Web App logins
1. Introduce a Strong Password Policy
2. Enable an Account Lockout Mechanism
3. Enable CAPTCHA
4. Enforce Geoblocking
5. Require a VPN
6. Enforce Multi-Factor Authentication (MFA) for OWA
1. Introduce a Strong Password Policy
Most attacks target passwords. So, it makes sense to ensure all passwords your employees use are strong enough to dissuade hackers from targeting your company. When challenged with strong passwords, most hackers just give up and start looking for an easier target.
A strong password goes a long way, but what makes a password strong?
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce that develops technology standards and best cybersecurity practices. NIST published NIST Special Publication 800-63B as mandatory for federal agencies that need to meet its regulatory compliance requirements. But NIST SP 800-63B is a well-regarded set of cybersecurity guidelines that can benefit every organization, including yours.
Essential NIST password guidelines:
- At least 8 characters long but no longer than 64 characters if chosen by the user.
- No complexity requirements.
- No password expiration period.
- Restriction on repetitive and sequential characters in the password, such as 1234, qwerty, and pppp.
- Restriction on commonly used, compromised, context-specific, and dictionary words.
- Limit consecutive failed authentication attempts on an account.
- Enable Multi-Factor Authentication (MFA)
2. Enable an Account Lockout Mechanism
An account lockout mechanism is a simple strategy for blocking brute-force attacks on Outlook Web App and Microsoft Exchange. After a defined number of incorrect password attempts is made, further access to the account is blocked for a defined length of time. Account lockouts can last a specific duration or require manual unlocking by an administrator.
While account lockout can indeed stop a brute-force attack, it can also encourage hackers to conduct a Denial of Service (DoS) attack. A DoS attack involves hackers deliberately triggering the lockout mechanism on many accounts so that users cannot access their accounts. This wreaks havoc in the organization, stops the employees’ work, and floods the help desk with tickets from annoyed employees. Hackers will not access your employees’ accounts. But so won’t the employees!
Hackers can use the Denial of Service attack to create chaos and sabotage your employee’s productivity. But hackers can also use a DoS attack as a smokescreen before a more severe cyberattack on Outlook Web App (OWA). The severe cyberattack is expected to be more effective when your company is still dealing with the consequences of the DoS attack.
One solution to limit the hassle of constantly unlocking legitimate user accounts is to add conditions to the account lockout. So, define additional conditions that must be met to trigger an account lockout. For example, block an Outlook Web App (OWA) account only after multiple logins with multiple usernames from the same IP address were made. Or if multiple login attempts for a single account came from many different IP addresses.
3. Enable CAPTCHA
Most brute-force attacks are automated. This means hackers use bots that automatically try different password combinations on the OWA and ECP login pages. You can add a CAPTCHA to your Outlook Web App login pages to thwart automated login attempts.
One thing to keep in mind is that adding CAPTCHA may negatively impact your employees’ user experience. After all, CAPTCHA is another thing an employee has to enter on the login page. To counteract this, enable CAPTCHA to appear only after two or more failed login attempts were made.
4. Enforce Geoblocking
Cyberattacks often come from specific geographical regions. So, you can use a geo-blocker to block users from a particular area, country, or IP range from accessing Outlook Web App. If your company operates in a limited number of countries, you can permit access from only those countries and block login attempts from all other regions.
5. Require a VPN
A popular strategy for organizations that use the on-premises Exchange Server is to require users to be in the corporate network to access Microsoft Exchange and Outlook on the web. This is especially important now when many people work from home and connect to Outlook over the public internet.
A VPN is another line of defense that thwarts hackers from even getting to the OWA login page. If hackers cannot display the Outlook login page, they cannot brute-force or DoS your on-premise Outlook Web app.
So, it is a good idea to mandate users to use VPN to connect to the corporate network before they can access your on-premise Microsoft Exchange Outlook Web App. To further bolster your security posture, you can enable Multi-Factor Authentication (MFA) on the VPN connection and OWA/ECP logins.
6. Enforce Multi-Factor Authentication (MFA) for OWA
No matter how good your password is, it can be broken one way or another. While proper password hygiene is important, hackers may break your password even if you adhere to all the best practices. Even if it is not mandatory in your industry, we strongly recommend you enforce Multi-Factor Authentication (MFA) for all users in your organization. MFA can prevent 99.9 percent of attacks on your accounts.
Conforming to a certain set of strong security standards, including the deployment of MFA, will reinforce your workforce and secure your assets for years. Cloud apps, VPNs, Remote Desktop Services, Linux SSH – nowadays, you can enable MFA on most services. And you should.
How Rublon MFA Can Help Protect Outlook Web App Logins
Rublon Multi-Factor Authentication (MFA) is a security solution that enables organizations to protect access to networks, servers, and applications. You can deploy Rublon in your corporate infrastructure by enabling robust Adaptive MFA for all your VPNs, cloud and on-premise apps, and Microsoft products, including the Remote Desktop Services (RDS) and Microsoft Exchange Outlook Web App (OWA).
Rublon’s MFA for Outlook Web App (OWA) is a powerful security solution that you can use to protect Outlook Web App (OWA) and Exchange Control Panel (ECP) logins via multiple strong authentication methods, including WebAuthn/U2F/YubiKey OTP Security Key, Mobile Passcode (TOTP), and Mobile Push.
Sign Up For a Free Rublon Trial
Start a Free 30-Day Rublon Trial:
Conclusion of How to Protect Outlook Web App and Exchange Logins
Hackers can easily obtain your employees’ OWA email addresses and perform a brute-force attack. So, you need a strong set of safeguards to prevent attacks on Microsoft Exchange and the Outlook Web App. You can enforce a strong password policy, enable account lockout, enforce CAPTCHA, and enable geoblocking. But the best line of defense against Outlook Web App hacking attempts is Multi-Factor Authentication. Rublon MFA for Outlook Web App (OWA) is the best security mechanism to protect your Outlook Web App and Exchange logins.
