Advisory: Legacy email protocols vulnerability

We recommend you disable the protocols mentioned in your email.

We've emailed you because we've found you're using legacy email authentication (also known as basic authentication) on your system. Whilst legacy protocols are still available for use, they can allow attackers to gain access to your systems. 

Advisory: Legacy email protocols vulnerability

Why are we getting in touch?

We strongly recommend that you disable the servers mentioned in your email if there is no strict business need for them.

Legacy email protocols don’t support crucial security controls like multifactor authentication. They lead to a greater chance of an attacker being able to carry out malicious activity if your organisation is targeted. This is based on a large number of CFC cyber claims and Microsoft’s statistics.

shield with servers
How can I secure my system?

How can I secure my system?

How you should mitigate the risk of enabled legacy protocols depends on whether you are using Exchange Online and a hybrid (Azure) environment or whether you are still strictly using Exchange on-premises.

If you are using Azure, we recommend following Microsoft’s guidance at

Microsoft also has some helpful guidance that we recommend for users of Exchange on-premises at

Unsure? Get in touch with our support team

Questions you might have

How did you detect that our organisation is supporting these protocols?

To test the presence of these protocols, we simulate the first stages of a connection over any of the protocols. As soon as a response indicating whether these protocols are supported or not is received, the connection is immediately dropped. No attempt to supply credentials ever occurs, and we have taken care to ensure this will not cause negative effects on the server we are testing.

What happens if I do not turn off legacy authentication protocols?

CFC’s claims data shows that customers who continue to support legacy email protocols on their email infrastructure are at a significantly heightened risk of a variety of successful attacks against their organisation. Even if security controls like multifactor authentication are in place, these can be bypassed and are therefore ineffective.

Our organisation does not own, control or manage this server. How did you associate it with my organisation?

By working with our data science team, we can establish IPs and domains that may be under the control of our clients. Whilst these have been shown to be highly accurate methodologies, it is likely there are some incorrect attributions. If you feel this is the case, please let us know and we can correct our records accordingly.