Threat Actors Exploit Legacy Protocols and Credential Dumps to Evade MFA

Threat actors are using IMAP (Internet Message Access Protocol) combined with credential dumps to conduct password-spraying attacks and therefore, circumvent MFA. Proofpoint, a cybersecurity company, conducted a study of major cloud services over a period of six months. Researchers found that an estimated 60 percent of Microsoft Office 365 and G Suite users were targeted, and roughly one quarter of these individuals experienced a breach. IMAP is a legacy validation protocol that makes it possible for an account to be accessed from multiple devices. It is regularly used by desktop email clients to retrieve email from the email server. Unfortunately, IMAP does not support MFA. Administrators may leave IMAP on for convenience purposes for both themselves and the user. According to Proofpoint, password-spraying attacks tend to target high-value users such as executives and their administrative assistants. “[However], 70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks…and appear to be the most vulnerable,” noted researchers. The NJCCIC recommends organizations establish layered security measures and provide user education as the threat landscape regularly changes. We advise utilizing MFA as it is still a highly effective protective measure. We also advise administrators to consider disabling IMAP and other legacy protocols for their domain, if possible.