Hackers are compromising Office 365 and G Suite accounts using IMAP protocol

According to cybersecurity specialists, in collaboration with an ethical hacker from the International Institute of Cyber Security, malicious hackers are showing special interest in abusing legitimate protocols to increase frequency and effectiveness of brute force attacks.

This abusive behavior has focused primarily on the IMAP protocol (Internet Message Access Protocol), which is responsible for bypassing multi-factor authentication and blocking options for unsuccessful logins.

According to the ethical hacker, this new brute-force attacks campaign raises a different approach to deploying the attack that uses the combination of user names and passwords. Thanks to an analysis made to a sample of more than 100k unauthorized login attempts on different platforms, the researchers reached conclusions such as:

  • 70% of users have been attacked by malicious hackers at least once
  • At least 40% of users have one of their online accounts compromised
  • 15 out of every 10k active user accounts have been successfully compromised

The main goal of hackers is to deploy internal phishing campaigns to generate persistence in the systems of the attacked organization. Internal phishing is much more difficult to detect than the external one, mentioned the expert in ethical hacking.

Hackers will try to get login access to victims’ cloud accounts, and they will depend on the internal phishing campaign to spread the infection throughout the systems.  The researchers mentioned that most of these unauthorized logins have originated in IP addresses from countries such as Nigeria, China, Brazil, South Africa, and the United States.

The abuse against the IMAP protocol increased notably between October 2018 and February 2019, the specialists mentioned. In addition, experts say the success rate of these attacks has increased considerably, reaching around 40%; it is estimated that at least 60% of Office 365 and G Suite users have been attacked during the last six months.

According to the ethical hacker, during these campaigns the attackers also resort to the use of tools like Tor or VPN nodes to preserve their anonymity.