Cybercriminals are leveraging Internet Message Access Protocol (IMAP) for password-spray attacks to compromise cloud-based accounts according to Proofpoint.
Justin Jett, Director of Audit and Compliance at Plixer:
“Password-spraying attacks are extremely dangerous because they often allow hackers to brute force attacks without being locked out or triggering an alert to the IT team. Two-factor authentication inherently can’t work with IMAP, and so it is automatically bypassed when authenticating. Additionally, IT teams should be sure they have network traffic analytics enabled across their network to spot credential misuse. Because password-spraying attacks don’t generate an alarm or lock out a user account, a hacker can continually attempt logging in until they succeed. Once they succeed, they may try to use the credentials they found for other purposes. Ideally, organizations using Office365 should disable IMAP, and other legacy protocols, completely for the domain. While this may mean fewer clients are supported, it means that accounts on the network will not be susceptible to these password-spraying attacks. For organizations with in-house email, if disabling IMAP isn’t possible, the connections to the server should be carefully monitored. If you notice a large number of connections from a similar source, you may have a password-spraying attack taking place. Network traffic analytics can give you the details you need to spot these and other attacks so your users and the business aren’t compromised.”