IMAP Protocol Helps Attackers to Bypass Multifactor Authentication

Delaware, USA – March 19, 2019 – More than half of the brute force attacks targeted at tenants of G Suite and Microsoft Office 365 are conducted using the IMAP protocol. According to the Proofpoint study, every fourth such attack ends with a successful compromise. Such a success rate is possible because targeted accounts are not blocked during the IMAP-based brute force attacks when the number of incorrect password attempts is exceeded. To conduct the attacks, adversaries use massive botnets consisted of hacked servers and routers located around the world, the exceptionally large number of hacked devices spotted in China, Brazil, and the United States. Adversaries most often attack accounts of organizations’ management, and on average it takes 2.5 days to guess the password.

At the end of last year, several credential dumps were published on Darknet, which led to a significant increase in the number of brute force attacks and the speed of passwords guessing. After gaining access to cloud accounts, adversaries proceed to the next stage – sending phishing emails to company employees from the contact list. In addition, access to the cloud allows conducting man-in-the-middle attacks. The analysis of attacks over the past six months has shown that adversaries are aimed primarily at organizations in the sphere of education, retail, technology, and finance.

Distributed brute force attacks using legacy protocols allow attackers to bypass multifactor authentication and to conduct further attacks within the organization without drawing attention. For the detection of distributed or slow brute force attacks you can use specialized rule pack from Threat Detection Marketplace that helps SIEM to analyze successful and unsuccessful authentication events from a wide variety of services: https://my.socprime.com/en/integrations/brute-force-detection-arcsight