MFA Bypassed in IMAP-Based Attacks on Office 365 and G Suite Accounts

Multi-factor authentication can prevent accounts from being accessed if passwords are stolen or obtained using brute force tactics; however, Proofpoint has discovered that multi-factor authentication is being bypassed on Office 365 and G Suite accounts using the legacy IMAP protocol.

The IMAP authentication protocol bypasses MFA and attackers are able to avoid being locked out of accounts. The methods used made failed login attempts appear like isolated fails, so they are not detected. Attacks are conducted using a network of thousands of hijacked devices such as vulnerable routers and servers with the brute force attacks commonly using credentials that have been obtained in recent credential dumps. Proofpoint notes there was a 60% increase in brute force attacks in December following the Collection #1 credential dump.

Proofpoint studied data from more than 100,000 unauthorized logins to millions of monitored cloud accounts in the past 6 months. 60% of Office 365 and G Suite tenants were targeted in IMAP password spraying attacks and in 25% of cases, the attacks successfully breached accounts. When an organization was targeted, the attackers achieved a 44% success rate at breaching at least one account in the organization.

72% of tenants had been targeted at least once by threat actors, 40% of tenants suffered at least one compromised account in their environment, and more than 2% of active user accounts had been targeted. Out of every 10,000 active user accounts, 15 were compromised by threat actors.

The main aim is to gain access to accounts that can be used to steal money or data, although if that is not possible, the accounts are used to conduct internal phishing campaigns – Business email compromise attacks – to gain access to further accounts.

The highest percentage of unauthorized logins from these brute force attacks were from Nigerian IP addresses (40%), followed by Chinese IP addresses (26%). Proofpoint notes that there was a 65% increase in successful logins from Nigerian IP addresses between November 2018 and January 2019.

Attacks were conducted in all industry sectors, but the education sector was the most targeted, and most susceptible, to brute force attacks and phishing attacks.

Phishing campaigns are being conducted to steal credentials to cloud accounts. When cloud accounts are breached, the attackers attempt to move laterally and compromise further accounts and spread malware to multiple devices, steal sensitive information and, when the right accounts are breached, to conduct fraudulent bank transfers. Proofpoint notes that 31% of cloud tenants suffered breaches resulting from successful phishing campaigns. 63% of successful phishing campaigns saw accounts accessed from Nigerian IP addresses. VPNs were often used to circumvent conditional access and geolocation-based authentication.

“This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale,” concluded Proofpoint. “Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.” 

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of