Threat actors targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).
Over the past months, threat actors have targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).
Experts at Proofpoint conducted an interesting study of massive attacks against accounts of major cloud services, The experts noticed that attackers leverage legacy protocols and credential dumps to increase the efficiency of massive brute force attacks.
“Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable.” reads the study published by Proofpoint. “At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts.”
The experts analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts, below key findings from the study:
- 72% of tenants were targeted at least once by threat actors
- 40% of tenants had at least one compromised account in their environment
- Over 2% of active user-accounts were targeted by malicious actors
- 15 out of every 10,000 active user-accounts were successfully breached by attackers
The attacker’s primary goal is to carry out internal phishing, especially when the initial target does not have the access needed to transfer money or data. The access to a cloud account could be exploited by attackers for lateral movements and to expand footholds within an organization via internal phishing and internal BEC. Experts observed that compromised accounts are also used to launch external attacks.