searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
March 20, 2019
Share

Attackers are exploiting IMAP to bypass MFA on Office 365, G Suite accounts

Where possible, and especially for important accounts such as Office 365 and G Suite accounts, the prevailing advice for users is to enable two-factor authentication. Unfortunately, that security measure does not stop some attackers that engage in password-spraying attacks.

During a six-month study of major cloud service tenants, Proofpoint researchers have found that approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, and roughly 25% of them experienced a successful breach as a result.

How does it happen?

IMAP (Internet message access protocol) is a legacy authentication protocol that makes it possible for an account to be accessed from multiple devices. It is often used by desktop email clients to retrieve email from the email server. Alas, IMAP does not support multi-factor authentication.

IMAP support is “on” by default on Office 365 and G Suite and attackers are banking on the fact that administrators are leaving IMAP on to make life easier for users and themselves.

Password-spraying attacks are performed by using a large number of usernames and combining them with a single password. Unlike brute-forcing attacks (one username / many password variations), password-spraying attacks avoid account lock-out setting off alarms because they look like isolated failed logins.

And, by using common variations of the usernames and passwords exposed in large credential dumps, password-spraying attackers have become even more successful.

IMAP-based password-spraying

“IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019. These attacks especially target high-value users such as executives and their administrative assistants,” the researchers shared.

“Attackers utilized thousands of hijacked network devices around the world – primarily vulnerable routers and servers – as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period.”

According to their findings, the education sector appears to be the most vulnerable to these attacks.

“70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks,” they noted.

“Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.”

Administrators are advised to consider disabling IMAP and other legacy protocols for their domain, if possible. If not, they should be on the lookout for password-spraying attempts.

UPDATE (March 21, 2019, 5:20 a.m. PT):

As explained by the researchers, IMAP can be used to bypass MFA under specific circumstances:

  • When used with third-party email clients that do not support modern authentication
  • Against targets that do not fully implement app passwords (an alternative to MFA for unsupported clients)
  • When targeting shared email accounts for which MFA cannot be enabled and/or for which IMAP is not blocked (e.g., service accounts, shared mailboxes).



More about
  • account hijacking
  • brute-force
  • email security
  • enterprise
  • G Suite
  • legacy technology
  • Office 365
  • passwords
  • Proofpoint
Share this

Featured news

  • Exploring the insecurity of readily available Wi-Fi networks
  • Python packages with malicious code expose secret AWS credentials
  • OT security: Helping under-resourced critical infrastructure organizations
Detection, isolation, and negotiation: Improving your ransomware preparedness and response

What's new

Trends to watch when creating security strategy for the next two years

Detection, isolation, and negotiation: Improving your ransomware preparedness and response

Exploring the insecurity of readily available Wi-Fi networks

Threat actors increasingly use third parties to run their scams

Don't miss

Detection, isolation, and negotiation: Improving your ransomware preparedness and response

Trends to watch when creating security strategy for the next two years

Python packages with malicious code expose secret AWS credentials

OT security: Helping under-resourced critical infrastructure organizations

How phishing attacks are becoming more sophisticated

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • OT security: Helping under-resourced critical infrastructure organizations
  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise