searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Featured news

  • Retail and hospitality sector fixing software flaws at a faster rate than others
  • Organizations struggle to maintain application security across platforms
  • Financial institutions must prepare for increased risk of financial crime
  • 3GPP standards enrich LTE and 5G with network architecture enhancements
  • Bugs in Signal, other video chat apps allowed attackers to listen in on users
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
March 20, 2019
Share

Attackers are exploiting IMAP to bypass MFA on Office 365, G Suite accounts

Where possible, and especially for important accounts such as Office 365 and G Suite accounts, the prevailing advice for users is to enable two-factor authentication. Unfortunately, that security measure does not stop some attackers that engage in password-spraying attacks.

During a six-month study of major cloud service tenants, Proofpoint researchers have found that approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, and roughly 25% of them experienced a successful breach as a result.

How does it happen?

IMAP (Internet message access protocol) is a legacy authentication protocol that makes it possible for an account to be accessed from multiple devices. It is often used by desktop email clients to retrieve email from the email server. Alas, IMAP does not support multi-factor authentication.

IMAP support is “on” by default on Office 365 and G Suite and attackers are banking on the fact that administrators are leaving IMAP on to make life easier for users and themselves.

Password-spraying attacks are performed by using a large number of usernames and combining them with a single password. Unlike brute-forcing attacks (one username / many password variations), password-spraying attacks avoid account lock-out setting off alarms because they look like isolated failed logins.

And, by using common variations of the usernames and passwords exposed in large credential dumps, password-spraying attackers have become even more successful.

IMAP-based password-spraying

“IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019. These attacks especially target high-value users such as executives and their administrative assistants,” the researchers shared.

“Attackers utilized thousands of hijacked network devices around the world – primarily vulnerable routers and servers – as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period.”

According to their findings, the education sector appears to be the most vulnerable to these attacks.

“70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks,” they noted.

“Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.”

Administrators are advised to consider disabling IMAP and other legacy protocols for their domain, if possible. If not, they should be on the lookout for password-spraying attempts.

UPDATE (March 21, 2019, 5:20 a.m. PT):

As explained by the researchers, IMAP can be used to bypass MFA under specific circumstances:

  • When used with third-party email clients that do not support modern authentication
  • Against targets that do not fully implement app passwords (an alternative to MFA for unsupported clients)
  • When targeting shared email accounts for which MFA cannot be enabled and/or for which IMAP is not blocked (e.g., service accounts, shared mailboxes).
More about
  • account hijacking
  • brute-force
  • email security
  • enterprise
  • G Suite
  • legacy technology
  • Office 365
  • passwords
  • Proofpoint
Share this
healthcare

Bolstering healthcare IT against growing security threats

  • Retail and hospitality sector fixing software flaws at a faster rate than others
  • Ransomware provides the perfect cover
Bugs in Signal, other video chat apps allowed attackers to listen in on users

What's new

bug

Retail and hospitality sector fixing software flaws at a faster rate than others

cloud

Organizations struggle to maintain application security across platforms

healthcare

Bolstering healthcare IT against growing security threats

money

Financial institutions must prepare for increased risk of financial crime

Don't miss

healthcare

Bolstering healthcare IT against growing security threats

bug

Retail and hospitality sector fixing software flaws at a faster rate than others

eavesdropping

Bugs in Signal, other video chat apps allowed attackers to listen in on users

ransomware

Ransomware provides the perfect cover

money

Financial institutions can strengthen cybersecurity with SWIFT’s CSCF v2021

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select a fraud detection solution for my business?
  • Securing the connected home: A joint task for homeowners and their ISP
  • Cybersecurity sales: Do you have what it takes to succeed?
  • How do I select a data control solution for my business?

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise