Recently there was an article published by Proofpoint (LINK) that discovered a security hole, for the sake of legacy email protocols, in Office 365’s MFA (And G-Suite for that matter). When using the legacy email protocols of IMAP or POP users (hackers) are not prompted for MFA and therefore can use credential stuffing attacks to breach accounts. Below we will review where users are logging in from and then turn off IMAP & POP for all accounts. The hope now is to disable this access before an account becomes compromised. Unfortunately, if you have not already enabled audit logging, the review will be short but don’t let that stop you from completing the rest of the steps (Here is Microsoft’s article on enabling auditing LINK) Elliot Munro from GCITS (LINK) wrote a great article on how to run a PowerShell script to output to a CSV file all the login locations for users over the last 30 days. The PowerShell script doesn’t inherently work with MFA authentication, so use an app password for the credential pop-up. The brilliant part of Elliot’s script is that it check’s the IP geolocation and includes that in the outputted CSV file.
- Get-CASMailboxPlan | select -property displayname,ImapEnabled,Popenabled | fl
- Get-CASMailbox | select -property name,ImapEnabled,Popenabled
- Get-CASMailboxPlan -Filter {ImapEnabled -eq “true” -or PopEnabled -eq “true” } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
- Get-CASMailbox -Filter {ImapEnabled -eq “true” -or PopEnabled -eq “true” } | Select-Object @{n = “Identity”; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false