Hackers Bypassing Multi-Factor Authentication Using IMAP

 In Cloud, Security

The email security company, Proofpoint, recently concluded a six-month study of attacks that leverage legacy protocols and credential dumps for optimizing brute-force attacks.  These attacks that use IMAP may be difficult to guard against using multi-factor authentication (MFA).  From the Proofpoint report:

“Proofpoint analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that:

  • 72% of tenants were targeted at least once by threat actors 
  • 40% of tenants had at least one compromised account in their environment 
  • Over 2% of active user-accounts were targeted by malicious actors
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers”

The most widely abused protocol in the attacks is the legacy IMAP protocol.  The current version of the IMAP protocol, IMAP4, was defined by RFC 3501 in March 2003.  By using this protocol, attackers are able to avoid account lockout and appear as isolated failed logins.

The Proofpoint study shows threat actors are using a broad array of tools including brute force, credential dumps, and phishing to compromise cloud accounts at scale.  They found the biggest vulnerabilities were service accounts and shared mailboxes while MFA has been shown to be vulnerable. 

To combat these threats, organizations need to implement a layered security approach which includes monitoring of logs, user education, and best practice review.  Part of a response is to disable the legacy protocols where possible.  Implementing this in Office 365 can be done in two parts:

  • Disabling POP and IMAP for current mailboxes
  • Disabling POP and IMAP for future mailboxes

Both of these tasks can be accomplished using Powershell with a connection to Exchange Online.

To disable POP and IMAP for all current mailboxes

Get-CASMailbox -Filter {ImapEnabled -eq “true” -or PopEnabled -eq “true” } | Select-Object @{n = “Identity”; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

To disable POP and IMAP for all future mailboxes

Get-CASMailboxPlan -Filter {ImapEnabled -eq “true” -or PopEnabled -eq “true” } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

Recent Posts

Leave a Comment

Cloud Computing Monitoring ChallengesBuild Custom Cloud