Proofpoint Discovers Attackers Bypassing Multi-Factor Authentication on Office 365 and G Suite Accounts

Proofpoint, a software security company, has discovered that threat actors are using legacy IMAP protocols to bypass multi-factor authentication on Office 365 and G Suite accounts.

Multi-factor authentication (MFA) systems check the identity of a user before allowing them to access the account. Many experts consider them more a far more robust security measure than passwords. These identification steps may include sending an email to their account, or a text to their phone, which contains a unique code which then must be submitted online to proceed.

Usually, if an attacker attempts to access an account but fail on several attempts, the system locks them out of the account. Attackers were able to bypass this security feature by using the IMAP authentication, which makes failed login attempts appear like isolated fails. Therefore, the attacker goes undetected.

Threat actors conduct these attacks by utilising a network of thousands of hijacked devices such as vulnerable routers and servers with the brute force attacks. They obtain the credentials for these vulnerable devices from online credential dumps.

Proofpoint researchers noted there was a 60% increase in brute force attacks in December following the massive Collection #1 credential dump, in which 773 million credentials were leaked.

Proofpoint’s study included data from more than 100,000 unauthorised logins to millions of monitored cloud accounts in the past 6 months. They discovered that 60% of Office 365 and G Suite tenants were targeted in IMAP password spraying attacks. Attackers successfully breached these accounts in 25% of cases. When attackers targeted organisations instead of individuals, they achieved a 44% success rate of breaching at least one account in the organisation.

The report showed that 72% of tenants had been targeted at least once by threat actors, 40% of tenants suffered at least one compromised account in their environment, and more than 2% of active user accounts had been targeted. In total, threat actors accessed 15 out of every 100,000 active user accounts.

The primary motive of threat actors is usually to steal money or data. In some cases, the hackers use the accounts to launch phishing attacks from inside an organisation (business email compromise attacks) to gain access to other, more useful, accounts.

The highest percentage of unauthorised logins from these brute force attacks were from Nigerian IP addresses (40%), followed by Chinese IP addresses (26%). Proofpoint notes that there was a 65% increase in successful logins from Nigerian IP addresses between November 2018 and January 2019.

Proofpoint notes that 31% of cloud tenants suffered breaches resulting from successful phishing campaigns. Most phishing attacks appeared to originate from Nigerian IP addresses (63%). The hackers used VPNs to circumvent conditional access and geolocation-based authentication.

“This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at an unprecedented scale,” concluded Proofpoint. “Organisations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.”