Attackers are exploiting IMAP to bypass MFA on Office 365, G Suite accounts

Where possible, and especially for important accounts such as Office 365 and G Suite accounts, the prevailing advice for users is to enable two-factor authentication. Unfortunately, that security measure does not stop some attackers that engage in password-spraying attacks.

During a six-month study of major cloud service tenants, Proofpoint researchers have found that approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, and roughly 25% of them experienced a successful breach as a result.

How does it happen?

IMAP (Internet message access protocol) is a legacy authentication protocol that makes it possible for an account to be accessed from multiple devices. It is often used by desktop email clients to retrieve email from the email server. Alas, IMAP does not support multi-factor authentication.

IMAP support is “on” by default on Office 365 and G Suite and attackers are banking on the fact that administrators are leaving IMAP on to make life easier for users and themselves.

Password-spraying attacks are performed by using a large number of usernames and combining them with a single password. Unlike brute-forcing attacks (one username / many password variations), password-spraying attacks avoid account lock-out setting off alarms because they look like isolated failed logins.

And, by using common variations of the usernames and passwords exposed in large credential dumps, password-spraying attackers have become even more successful.

“IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019. These attacks especially target high-value users such as executives and their administrative assistants,” the researchers shared.

“Attackers utilized thousands of hijacked network devices around the world – primarily vulnerable routers and servers – as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period.”

According to their findings, the education sector appears to be the most vulnerable to these attacks.

“70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks,” they noted.

“Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.”

Administrators are advised to consider disabling IMAP and other legacy protocols for their domain, if possible. If not, they should be on the lookout for password-spraying attempts.

UPDATE (March 21, 2019, 5:20 a.m. PT):

As explained by the researchers, IMAP can be used to bypass MFA under specific circumstances:

• When used with third-party email clients that do not support modern authentication
• Against targets that do not fully implement app passwords (an alternative to MFA for unsupported clients)
• When targeting shared email accounts for which MFA cannot be enabled and/or for which IMAP is not blocked (e.g., service accounts, shared mailboxes).