IMAP based attacks increasing
Hackers mounting password spraying attacks are turning to the legacy Internet Message Access Protocol, or IMAP, to avoid multi factor authentication obstacles. In the past half year, 60 percent of Microsoft Office 365 and G Suite users have been targeted with IMAP-based password-spraying attacks and 25 percent of those targeted experienced a breach. Password spraying attacks are when a hacker tries to access a large number of accounts or usernames with a few commonly used passwords. In a report that analyzed 100,000 unauthorized logins across millions of monitored cloud user accounts, it's clear that more hackers using this method are employing IMAP. When combined with recent credential dumps, it enables accounts being compromised at an unheard of scale.
Legacy protocols such as POP and IMAP, make it more difficult for service administrators to implement authentication protections like multi factor authentication, according to Proofpoint. The lack of multi factor authentication means that hackers that launch attacks through IMAP can avoid account lock out and compromise accounts unnoticed. Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi factor authentication, where service accounts and shared mailboxes are vulnerable.
Targeted, intelligent brute force attacks brought a new way to traditional password spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Meanwhile, the widespread number of credential dumps on the cybercrime underground is another factor that helps hackers carry out brute force and password spraying attacks. Overall, the report found that 72 percent of major cloud service users were targeted at least once by hackers. Forty percent of users had at least one compromised account in their environment.
Once they compromise an account, the hacker's main goal is to launch internal phishing attempts. They can do so by sending internal phishing emails from trusted, compromised accounts to target corporations. Post login access to a user's cloud email and contact information improve a hacker's ability to expand footholds within an organization via internal phishing and internal business email compromise, which are much harder to detect than external phishing attempts. Hackers can also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.