Mitigating the risks of IMAP credential stuffing attacks in Office 365
A recent Bleeping Computer article, Multi-Factor Auth Bypassed in Office 365 and G Suite IMAP Attacks, reported that email security company Proofpoint, had observed a massive increase in credential spraying attacks that target Office 365 and G Suite. These attacks leverage legacy email protocols (IMAP) and credential dumps to bypass the multifactor controls provided by these platforms.
Now I am a bit sceptical of some of the numbers in the Proofpoint report, however I have seen other similar reports. I personally believe it is a safe assumption that most Office 365 and G Suite tenants have been targeted and that these attacks have successfully breached some of these tenants.
These attacks have been successful because:
- IMAP bypasses MFA (and some conditional access controls) on these platforms. This is due to the lack of support for MFA in the base IMAP protocol.
- The attackers have taken care to avoid potential account-lockouts. As a result, the attacks look like isolated failed logins and go unnoticed.
- MAP is an easy protocol to develop automated attacks against.
How can we protect our Office 365 tenants from these types of attacks?
There are three steps you can take:
- Disable IMAP and POP access to mailboxes, and,
- Disabling legacy authentication using an Exchange Online Authentication Policy, and,
- Disable legacy authentication using a Conditional Access Policy.
Each of these steps targets different behaviours, and as such, I believe you should put all of these controls in place.
Disabling IMAP and POP client access
The first step is to disable users access to their mailboxes using IMAP and POP. Why do this? To be honest, why would any of your users be using these protocols? With Outlook applications on Windows, MacOS, iOS and Android and third party applications that support modern authentication, I don’t see any need for users to be sticking to these legacy protocols.
Unfortunately, you need to disable IMAP and POP at a mailbox level, you cannot disable it at a tenant level. To disable these protocols, we can connect to Exchange online and then use the set-CASMailbox CMDLet. Remember you need to do this for all mailboxes!
Set-CASMailbox -Identity $EmailAddress -PopEnabled $false -ImapEnabled $false
This could be included as part of your user automation processes.
Disabling legacy authentication using an Authentication Policy
You can find a great guide on doing this at Microsoft Docs, Disable Basic Authentication in Exchange Online.
Disabling legacy authentication protocols using a Conditional Access Policy
There is also a guide on Microsoft Docs, How to: Block legacy authentication to Azure AD with conditional access, that will help you set up a Conditional Access Policy that blocks legacy authentication protocols from use.