Office 365 & MFA Bypass – Security hole for the sake of legacy support?

Recently there was an article published by Proofpoint (LINK) that discovered a security hole, for the sake of legacy email protocols, in Office 365’s MFA (And G-Suite for that matter). When using the legacy email protocols of IMAP or POP users (hackers) are not prompted for MFA and therefore can use credential stuffing attacks to breach accounts.

Below we will review where users are logging in from and then turn off IMAP & POP for all accounts. The hope now is to disable this access before an account becomes compromised. Unfortunately, if you have not already enabled audit logging, the review will be short but don’t let that stop you from completing the rest of the steps (Here is Microsoft’s article on enabling auditing

LINK)

Elliot Munro from GCITS (LINK) wrote a great article on how to run a PowerShell script to output to a CSV file all the login locations for users over the last 30 days. The PowerShell script doesn’t inherently work with MFA authentication, so use an app password for the credential pop-up. The brilliant part of Elliot’s script is that it check’s the IP geolocation and includes that in the outputted CSV file.

Take your time to review the output and check with any users that have suspicious locations listed and change their password ASAP. Keep in mind that mobile hotspots can sometimes have odd locations called out; for example, I am located in Chicago but my Sprint hotspot pulls an IP address from California.

Now for the real point of this post, turning off the legacy email protocols. Of course, please check documentation to verify these protocols are not currently in use for any account and use a strong, rotating password to secure those accounts that need it.

1. Run the following command to verify if IMAP & POP are enabled globally
  • Get-CASMailboxPlan | select -property displayname,ImapEnabled,Popenabled | fl

Get-CASMailboxPlan | select -property displayname,ImapEnabled,Popenabled | fl

2. Run the following command to verify how IMAP & POP are configured per user account

  • Get-CASMailbox | select -property name,ImapEnabled,Popenabled
Get-CASMailbox | select -property name,ImapEnabled,Popenabled 3. Run the following command to disable IMAP & POP for all future mailboxes
  • Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

4. Run the following command to disable IMAP & POP for all existing mailboxes

  • Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

At this point, your Office 365 tenant should be one step further along the never-ending security path. Don’t feel like you must walk this path alone, we are glad to come up alongside and provide a helping hand. Please contact us here if you would like to schedule a call or have any additional questions.

 

Recent Posts

Contact us

Tags

Newsletter Sign up

Stay up to date with georgelis injury law and sign up for our newsletter!