Multi-factor authentication is touted by experts as one of the best ways to protect email against brute force attacks and spear phishing lures on credentials. However, a security vendor is warning administrators that attackers are leveraging an old protocol — IMAP — to get around MFA protection.
It’s a door, say researchers at Proofpoint, that administrators should consider shutting.
In a blog this week the company at said that after a six month study of cloud applications like Office 365 and G-Suite it realized massive password spraying attacks were successful because hackers were using IMAP (Internet message access protocol).
IMAP allows administrators to set up an account so it can be read of multiple devices. The problem, is that IMAP doesn’t support multi-factor authentication. So even if a user has MFA enabled, it’s by-passed if access is attempted through IMAP.
Chris Dawson, Proofpoint’s threat intelligence lead, said in an interview that administrators can turn off so desktop clients on devices don’t access it. However, most don’t because there are still some client-based applications that need IMAP for access.
Attackers have caught on, he said, and are using IMAP and other legacy protocols to get by MFA-enabled defences.
Approximately 60 per cent of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, Proofpoint found in its study.
- Roughly 25 per cent of Office 365 and G Suite tenants were successfully breached.
- Threat actors achieved a 44 per cent success rate breaching an account at a targeted organization.
“IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019,” said the blog. “These attacks especially target high-value users such as executives and their administrative assistants.”
Users who log in from a browser don’t face this problem, Dawson, which is a secure, encrypted interface. But users of a desktop client like Microsoft Outlook or Mozilla Thunderbird use IMAP to retrieve email from a cloud service, which is why administrators leave IMAP on.
It is turned on by default on Office 365 and G-Suite, he added, which may be missed by smaller organizations.
Dawson admits that turning IMAP off makes it “more challenging” for administrators to oversee large email installations at big enterprises and universities. Which, he added, may explain why the education sector has been victimized so often by brute force attacks. In the study period 70 per cent of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks.
IMAP makes it easier to let users oversee their own accounts, he noted.
“If you’ve got 20,000 students starting in the fall, plus faculty and support staff, you want to make it as easy as possible to enroll email access on someone’s device,” particularly if people are allowed to bring their own devices.
The report is a reminder of how the theft of huge numbers of login credentials continues to be leveraged by attackers.
“If you can lock out IMAP and make sure folks are using more modern approaches to logging in you’re going to save yourself a lot of trouble,” Dawson said.