Email Hacking: Multi-factor Authentication and Conditional Access Controls Are At Risk

Managing user security and threats from the outside world is a constant battle. Often it requires a blending of industry best practices with the user’s needs, wants, and abilities. Recently, there is an increase in attacks on business email accounts, even accounts using a multi-factor authentication protocol.

While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place.
“While MFA and modern authentication protocols are an important advancement in account security and should be used whenever possible…this means that it is not possible to enforce MFA when a user signs into their account using one of these applications,” said Erin Ludert, writing in a blog post on Friday.
According to Abnormal Security, cybercriminals are zeroing in on email clients that don’t support modern authentication, such as mobile email clients (for example, iOS Mail for iOS 10 and older); and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won’t be subject to that protection.

It doesn’t get any better when using Microsoft 365 either:

“…many Office 365 licenses provide the ability to configure conditional-access policies, which block access by users to certain applications. This can be used to block legacy applications that may be targeted for password-spraying campaigns, for instance. However, according to Abnormal Security, attackers are also focused on ferreting out targets that don’t have this implemented, or, bypassing it.

“First and foremost, conditional access is not included with all licenses, meaning that many enterprises simply have no way to protect themselves from this type of attack,” Ludert said. “Additionally, legacy applications are still in widespread use in most enterprises. Completely blocking all users from legitimate access using these applications will be quite disruptive to the workforce. Also, legacy access is enabled by default on Office 365. In order to effectively block legacy access, it must be disabled on a per-tenant basis – for all users and platforms.”

Hackers are always looking for new ways to get to and exploit user data. It’s difficult to stay a step ahead, but we must continue to try. When setting up security and access in your applications, it’s important to follow best practices where security is concerned.

Posted in

Michelle Moore

Leave a Comment