In a, “it’s about time” type of move, Microsoft is making changes to hosted Exchange clients and disabling basic HTTP authentication across the board on October 1st, 2021. According to Bleeping Computer, Microsoft is doing this to ensure the security of their platform by forcing clients to use more modern authentication mechanisms like OAuth.
Given the recent PR disaster that Guardicore created for Microsoft when they discovered the Exchange Autodiscover service was leaking credentials all over the place, it is not a surprise Microsoft wants to improve their image a bit. While I don’t know that this move should absolve them for the ease at which this data has been leaking all over the internet for years, it is at least a step in the right direction. MFA and modern authentication mechanisms should be the default now, not the exception. A user name and password is no longer good enough for anyone for web services any longer. Passing them back and forth to a server using basic HTTP authentication makes the account security challenges that much worse.
I can only hope that Microsoft hosted Exchange clients don’t go and start enabling these old insecure authentication methods again after October 1st.