Taking advantage of recent stolen credential dumps, attackers have been exploiting legacy protocols like IMAP to engage in high-volume password-spraying campaigns for the purpose of breaking into companies’ cloud accounts, researchers at Proofpoint are reporting.
Used by email clients to retrieve messages from a server, IMAP (Internet Message Access Protocol) is an ideal protocol to abuse because it circumvents multi-factor authentication protections, Proofpoint explains in a March 14 blog post from its Information Protection Research team.
From September 2018 through February 2019, Proofpoint conducted a six-month study that analyzed over 100,000 unauthorized logins across millions of monitored cloud user-accounts. The company found that 60 percent of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, while 25 percent were successfully breached in this manner.
Proofpoint noted that the number of IMAP-based password-spraying attacks jumped up following the December 2018 publishing of the Collection #1 data dump that exposed nearly 773 million unique emails and 21 million unique passwords.
Attackers who successfully match dumped credentials to a cloud account within a target organization typically try to leverage this compromise to subsequently perform a phishing operation or Business Email Compromise scam, the report explains.
The majority of the successful IMAP-based attacks, 53 percent, originated from China, Proofpoint reports, adding that attacks stemming from Brazilian IP addresses and U.S. infrastructure were the next most common.
“Password-spraying attacks are extremely dangerous because they often allow hackers to brute force attacks without being locked out or triggering an alert to the IT team,” said Justin Jett, director of audit and compliance at Plixer says, in emailed comments. “Because password-spraying attacks don’t generate an alarm or lock out a user account, a hacker can continually attempt logging in until they succeed.”
“Ideally, organizations using Office365 should disable IMAP, and other legacy protocols, completely for the domain,” Jett continued. “While this may mean fewer clients are supported, it means that accounts on the network will not be susceptible to these password-spraying attacks. For organizations with in-house email, if disabling IMAP isn’t possible, the connections to the server should be carefully monitored.”