Cloud Security: How to Prevent MFA Bypass Exploiting Legacy Email Protocols

Cloud Security: How to Prevent MFA Bypass Exploiting Legacy Email Protocols

Threats to cloud accounts have grown considerably making the single-factor authentication – the reliance of the traditional username and password combination – undependable and leading the way to the adoption of multi-factor authentication (MFA).

Legacy Email Protocols

Legacy email protocols refer to email protocols that use basic authentication, that is, the reliance of the single-factor authentication consisting of only the username and password combination. These legacy email protocols can’t enforce any type of multi-factor authentication. Examples of these legacy email protocols include POP, IMAP, SMTP, and MAPI.

Prevalence of Cyberattacks Exploiting Legacy Email Protocols

Microsoft 365, formerly Office 365, by default, supports legacy email protocols. For MFA to be operational on Microsoft 365, a user needs to block legacy authentication, that is, the use of single-factor authentication only. Microsoft 365 adoption has risen as a result of the COVID-19 pandemic, which forces organizations around the globe to adopt the work from home model.

In the blog post "Block legacy authentication to Azure AD with Conditional Access", Microsoft said legacy email authentication protocols are the preferred entry points by threat actors in attacking organizations using Microsoft 365 with the following results: more than 99% of password spray attacks use legacy authentication protocols, and more than 97% of credential stuffing attacks use legacy authentication.

Password spray attacks refer to cyberattacks that attempt to login to a large number of online accounts using a few commonly used passwords. Credential stuffing attacks, meanwhile, refer to cyberattacks that use stolen usernames and passwords to access online accounts. Attackers automate the process of launching password spray attacks and credential stuffing attacks by using bots or automated scripts.

Business Email Compromise (BEC)

Security researchers at FireEye Mandiant reported that one of the entry points of Business Email Compromise (BEC) actors is by bypassing Microsoft 365 MFA by exploiting legacy authentication protocols. In a BEC attack, an attacker compromises the official email of an executive, typically a CEO, and uses this compromised email to convince an employee in charge of releasing funds to send money to a bank account controlled by the attacker.

Based on the 2019 Internet Crime Report of the Federal Bureau of Investigation (FBI), in 2019, victims lost over $1.7 billion through BEC scam. In April of this year, the FBI warned that threat actors are using the uncertainty surrounding the COVID-19 pandemic to further their efforts. “Recently, there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19,” the FBI said.

According to security researchers at FireEye Mandiant, the usual routes taken by BEC actors to accomplish their objective is by compromising the target’s email via MFA bypass leveraging legacy authentication protocol. After this initial compromise, the researchers said BEC attackers establish foothold in the target’s system by sending phishing lures to internal and external contacts from Outlook’s global address list, and by changing mailbox rules by forwarding certain or all emails to an external address controlled by the attackers.

With access to the target’s email, the report said, attackers conduct internal reconnaissance by searching the target's mailbox for emails that are of interest, and searching other Microsoft 365 applications such as SharePoint and OneDrive for content of interest. Attackers complete their BEC mission, the report said, by sending a request to the HR department to update the target’s direct deposit information and followed by a wire transfer request for a purported unpaid invoice.

Most Commonly Abused Legacy Email Protocol

In the blog post “Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide” published in March 2019, security researchers at Proofpoint said they analyzed over 100,000 unauthorized logins across millions of cloud user accounts, including Microsoft 365 and G Suite cloud accounts, and found that IMAP was the most commonly abused legacy email protocol. According to security researchers at Proofpoint, IMAP is a legacy authentication protocol that may be used to bypass multifactor authentication (MFA) under the following specific circumstances:

• When used with third-party email clients that don’t support modern authentication;
• Against targets that don’t fully implement app passwords – an alternative to MFA for unsupported clients; and
• When targeting shared email accounts for which MFA can’t be enabled and/or for which IMAP isn’t blocked.

Preventive and Mitigating Measures Against MFA Bypass via Legacy Authentication Protocols

Microsoft’s recommendation in preventing MFA bypass via legacy authentication protocols from accessing your organization’s 365 resources is by blocking them with a Conditional Access policy.

“For MFA to be effective, you also need to block legacy authentication,” Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post “New tools to block legacy authentication in your organization”. “This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them preferred entry points for adversaries attacking your organization.”

Aside from disabling legacy authentication protocols, other mitigating measures against MFA bypass via legacy authentication protocols include:

• Enabling mailbox audit logging on all accounts
• Forwarding Microsoft 365 audit logs to a centralized logging platform
• Restricting mail forwarding to external email addresses
• Enforcing an account lockout policy in case of many failed login attempts