I need to verify this in another tenant, but I’ve always assumed as per the docs that if an authentication policy is not set on a mailbox, that it assumes the policy that is set as the default org policy. However, I’ve just had a user being password sprayed from the usual countries via SMTP, evidenced in the sign-in logs (lots of ‘failed’ entries). The users auth policy was null. I then set the auth policy to the ‘default’ (which was already set as the default in the org settings) and this appears to have stopped the SMTP sign-in attempts. Can anyone verify this? Has there been a change to the behaviour? Any insights appreciated.

​I need to verify this in another tenant, but I’ve always assumed as per the docs that if an authentication policy is not set on a mailbox, that it assumes the policy that is set as the default org policy. However, I’ve just had a user being password sprayed from the usual countries via SMTP, evidenced in the sign-in logs (lots of ‘failed’ entries). The users auth policy was null. I then set the auth policy to the ‘default’ (which was already set as the default in the org settings) and this appears to have stopped the SMTP sign-in attempts. Can anyone verify this? Has there been a change to the behaviour? Any insights appreciated.  Read More

​