Using two forms of authentication is the best way to protect your cloud-based users, but in practice many cloud accounts haven't implemented it. The result has been a surge in successful Office 365 and G Suite accounts.
In mid-March, security company Proofpoint revealed a spate of massive cloud hacking attacks against the two cloud-based productivity services. The culprit was the Internet Message Access Protocol (IMAP), which is a standard protocol that email clients used to retrieve messages from mail servers.
Since its introduction in 1986, IMAP has been a great way for third-party mail clients to remotely manage email inboxes on mail servers. The problem is that it doesn't support multi-factor authentication (MFA), which is the most effective way of preventing hackers from getting access to your account by stealing all guessing your password.
Attackers targeting accounts using IMAP could brute-force the accounts using common variations on usernames and passwords exposed in large credentialed dumps.
Proofpoint spent six months scanning major cloud services, identifying over 100,000 unauthorized logins. The company found that 72% of tenants were targeted at least once, and that 40% had at least one compromised account in their environment: 15 in every 10,000 active user accounts had been successfully breached by attackers.
IMAP wasn't the only technique that attackers used to compromise cloud-based productivity suites. They also used phishing, a tried and trusted account hijacking mechanism, to all users into giving up their details voluntarily.
Once in either via IMAP or phishing, the attackers would use the hacked account to either steal data if there was any worth stealing, or to launch internal phishing attacks. It would be an excellent foothold to launch a business email compromise attack, for example.
The take away here is that even modern cloud services with MFA access controls can be vulnerable if they allow users to connect via legacy protocols that don't support those protections. Disabling IMAP on your organization's cloud user accounts is a good measure (here’s how to do it in your G Suite and Office 365 accounts). Then you can either use MFA with an authenticator app, or grant app-specific passwords for users to register with their email clients. If your organization's tools don't allow you to move away from IMAP, then choosing strong passwords that have never been used elsewhere is a minimum viable measure.
The topic of Cloud Security will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cloud Security here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
