Threatlist: IMAP-Based Attacks Compromising Accounts at ‘Unprecedented Scale’

password spray IMAP attack

Attackers are increasingly targeting insecure legacy protocols, like IMAP, to avoid running into multi-factor authentication in password-spraying campaigns.

Attackers mounting password-spraying campaigns are turning to the legacy Internet Message Access Protocol (IMAP) to avoid multi-factor authentication obstacles – thus more easily compromising cloud-based accounts.

That’s according to researchers with Proofpoint, who found that in the past half year, a staggering 60 percent of Microsoft Office 365 and G Suite tenants have been targeted with IMAP-based password-spraying attacks; and 25 percent of those targeted experienced a full-on breach as a result.

Password-spraying attacks are when an attacker attempts to access a large number of accounts or usernames with a few commonly used passwords – seen most recently in the Citrix security incident from last week. In a Thursday report that analyzed over 100,000 unauthorized logins across millions of monitored cloud user-accounts, it’s clear that more attackers using this method are leveraging IMAP – the legacy protocol used for accessing and storing mail on mail servers – and when combined with recent massive credential dumps, it allows the compromise of accounts “at an unprecedented scale.”

Legacy protocols (such as POP and IMAP) make it more difficult for service administrators to implement authentication protections like multi-factor authentication, according to Proofpoint. In turn, the lack of multi-factor authentication means that threat actors launching attacks through IMAP can avoid account lock-out and compromise accounts unnoticed.

“Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable,” researchers said.

IMAP-based password-spraying campaigns appeared in high volumes between September 2018 and February 2019, according to the report, especially those targeting high-value users such as executives and their administrative assistants.

Targeted, intelligent brute-force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts,” researchers said in a posting.

IMAP brute force compromise

Meanwhile, the widespread number of credential dumps appearing on the cybercrime underground is another factor that helps threat actors carry out brute-force and password-spraying attacks.

In fact, in December 2018 when the “Collection #1” credential dump – and the subsequent Collection #2-5 – exposed billions of account records, researchers found a sharp increase in successful account breaches for that month over the months previous.

Overall, the report found that 72 percent of major cloud service tenants – like Office 365 and G Suite cloud accounts – were targeted at least once by threat actors. Forty percent of tenants had at least one compromised account in their environment.

Once they compromise an account, the attacker’s primary goal is typically to launch internal phishing attempts – especially if the initial target does not have the access needed to move money or data.

They can do so by sending internal phishing emails from “trusted” compromised accounts to target corporations’ payroll systems.

“Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC [business email compromise], which are much harder to detect than external phishing attempts,” researchers said. “Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.”

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.


  • hicsolo on

    This is a bit misleading. I don't think that this is describing how MFA is being bypassed - but instead that the hackers are targeting legacy protocols that don't have MFA in place due to difficulty in implementation.
    • Tara Seals on

      Yes, thanks -- we've amended the teaser!
  • Mark Ziesemer on

    This is not how this works. I am wondering if Office 365 was possibly incorrectly lumped into the larger set of cloud services here. At least on Office 365, once an account is enabled for MFA - either everything must support Modern Authentication (including MFA), *or* new "application passwords" (randomly and system-generated by O365) must be used. So as long as MFA was enabled, password-spraying attacks against O365 (IMAP or otherwise) become a near-impossibility. The overall problem is that too many organizations are not enabling MFA, despite its recommendation as a baseline security measure today. "Attackers are increasingly targeting insecure legacy protocols, like IMAP, to avoid running into multi-factor authentication in password-spraying campaigns." This still inaccurate, at least for O365 - as once MFA is enabled on an account, a user's password will no longer allow them to authenticate without MFA, even by IMAP.
    • Lindsey O'Donnell on

      Hello Mark, thank you for these points. I am reaching out to the researchers for further clarification. Best, Lindsey
  • anona on

    I am not sure I understand this article or the implications. If you have MFA enabled, IMAP and POP won't work with the normal password even if they are enabled. You would need to generate an App Password which is longer to brute force. We have MFA enabled, and IMAP turned off per user, but even if we did, I don’t think anyone would be breached. Can you please clarify?
    • Lindsey O'Donnell on

      Hi there - thanks for your comments. Yes, I have reached out to the researchers in hopes of clarification on these specific points, and will be sure to update the article once I hear back!
  • Roger Young on

    Yes, it would be helpful to know if this was still effective with "app passwords" turned on as Microsoft recommends where needed. I would think that would add the level of complexity needed, whereas password spraying attacks are relying on known or frequently utilized passwords.
  • Jay W on

    In addition to having a 3rd party IAM solution federated with a O365 tenant that leverages 3rd party MFA (radius) provider, and client certificates wouldn't this exploit also be negated by simply having IMAP disabled in the O365 (Exchange online) tenant?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.