Criminals attempt to compromise business email accounts more often than you may think. When they succeed, large amounts of money can disappear. Generally, these criminals will target the account of someone high up the corporate chain—an executive, or an administrative assistant who has authority over financial transactions. By infiltrating the account and assuming the employee’s identity, they can insinuate themselves into a transaction-related email thread and re-direct a funds transfer to the criminal’s bank account.
How widespread are these attacks? A six-month study by Proofpoint found that:
- About 60% of Microsoft Office 365 and G Suite users were targeted
- Roughly 25% of Office 365 and G Suite users suffered a breach
- Criminals realized a 44% success rate in breaching targeted accounts
Account Takeover: IMAP Password Spraying
When a wrong password is entered multiple times, most email services will initiate a lockout of the account, since this is often a giveaway of an unauthorized access attempt. To get around this lockout sequence, criminals employ a brute-force technique called password-spraying. Rather than attempting to access a single account using a long list of possible passwords, they start with a short password list, and “sprays” them across multiple accounts. Attacking many accounts at once allows them to space the attempts far enough apart to avoid raising the alarm. Each access attempt will appear to be a routine login failure instead of a targeted attack on the access logs.
Importantly, these attacks commonly come through the Internet Mail Access Protocol (IMAP). The IMAP standard has been in use for over 30 years, and is enabled on most servers by default. It also makes it easy for criminals to automate attacks via written scripts, and does not support more secure authentication methods—just basic username and password.
How to “Sprayproof” Your Environment
We recommend that every business using Office 365 or G Suite for email begin requiring multi-factor authentication (MFA) for all their users every time they log in from a new device or location. Unfortunately, IMAP does not support MFA; a server that has IMAP enabled offers criminals a backdoor to access the server, bypassing the multi-factor checkpoint. This leaves the server vulnerable to a password-spraying attack.
Because of this vulnerability, we recommend businesses disable IMAP, as well as its older sibling, post-office protocol (POP3). POP3 isn’t as widely used in spray attacks, but has the same weaknesses as IMAP. Since both of these are legacy protocols, organizations likely have very few users that use either one for email access. For those that do, we suggest using Outlook Anywhere to access Office 365. If you’re worried about inconveniencing several of your users by disabling the protocols, please be aware that both protocols are on their way out. Microsoft has announced that by October 2020, it will no longer support basic authentication for IMAP and POP3.
At SOCBOX, we make it our business to stay on top of vulnerabilities and criminal tactics like this to keep our clients’ businesses safe. If you would like to know more, give us a call at 877-284-7789.