IMAP being used by hackers to bypass multi-factor authentication, says report

Multi-factor authentication is touted by experts as one of the best ways to protect email against brute force attacks and spear phishing lures on credentials. However, a security vendor is warning administrators that attackers are leveraging an old protocol — IMAP — to get around MFA protection.

It’s a door, say researchers at Proofpoint, that administrators should consider shutting.

In a blog this week the company at said that after a six month study of cloud applications like Office 365 and G-Suite it realized massive password spraying attacks were successful because hackers were using IMAP (Internet message access protocol).

IMAP allows administrators to set up an account so it can be read of multiple devices. The problem, is that IMAP doesn’t support multi-factor authentication. So even if a user has MFA enabled, it’s by-passed if access is attempted through IMAP.

Chris Dawson, Proofpoint’s threat intelligence lead, said in an interview that administrators can turn off so desktop clients on devices don’t access it. However, most don’t because there are still some client-based applications that need IMAP for access.

Attackers have caught on, he said, and are using IMAP and other legacy protocols to get by MFA-enabled defences.

Approximately 60 per cent of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, Proofpoint found in its study.

Of those

  • Roughly 25 per cent of Office 365 and G Suite tenants were successfully breached.
  • Threat actors achieved a 44 per cent success rate breaching an account at a targeted organization.

“IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019,” said the blog. “These attacks especially target high-value users such as executives and their administrative assistants.”

Users who log in from a browser don’t face this problem, Dawson, which is a secure, encrypted interface. But users of a desktop client like Microsoft Outlook or Mozilla Thunderbird use IMAP to retrieve email from a cloud service, which is why administrators leave IMAP on.

It is turned on by default on Office 365 and G-Suite, he added, which may be missed by smaller organizations.

Dawson admits that turning IMAP off makes it “more challenging” for administrators to oversee large email installations at big enterprises and universities. Which, he added, may explain why the education sector has been victimized so often by brute force attacks. In the study period 70 per cent of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks.

IMAP makes it easier to let users oversee their own accounts, he noted.

“If you’ve got 20,000 students starting in the fall, plus faculty and support staff, you want to make it as easy as possible to enroll email access on someone’s device,” particularly if people are allowed to bring their own devices.

The report is a reminder of how the theft of huge numbers of login credentials continues to be leveraged by attackers.

“If you can lock out IMAP and make sure folks are using more modern approaches to logging in you’re going to save yourself a lot of trouble,” Dawson said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now