Threat Actors Discovered Leveraging IMAP to Bypass Multi-Factor Authentication

latest cyber security news 5/5 (1)

Security researchers have discovered massive attacks targeting legacy protocols and credential dumps to increase the speed and effectiveness of brute force attacks.

According to Proofpoint researchers, attackers are leveraging IMAP (Internet message access protocol) to compromise Office 365 and G Suite cloud accounts with multi-factor authentication.

In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). By design, these attacks avoid account lock-out and look like isolated failed logins, so they go unnoticed.”

These brought a new approach to the traditional brute force attack which uses combinations of usernames and passwords exposed in large credential dumps to compromise accounts.

Based on the analysis done over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and Proofpoint researchers discovered :

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers

Here the primary goal of the attacker is to launch internal phishing. After gaining access to the user’s cloud email and contact information attackers attempts to gain more access within the organization through internal phishing.

After compromising cloud accounts, attackers send internal phishing from these “trusted” accounts to gain more foothold within the organization.



Attackers modify email forwarding rules or set email delegations to maintain access. They also leverage these breached accounts to phish users in other organizations.

Most of the login attempts originated from Nigerian IP addresses (40%) followed by China (26%), United States, Brazil, and South Africa.

Researchers also observed that approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks.

In those, 25% of Office 365 and G Suite tenants were successfully breached and Threat actors achieved a 44% success rate breaching an account at a targeted organization.

In the case of the organization’s, the education sector observed the most successful attack rate with 15% and other targeted industries includes retail, finance, and technology.

For more details, you can visit the analysis published by Proofpoint researchers here.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild



Please rate this content