Legacy protocols in hybrid environments – new report demonstrates IMAP security risks

In my Modern and Legacy Authentication in Hybrid Environments webinar in March 2019, I discussed the protocols that we refer to as “Legacy”, and the attacks against them, as well as some mitigations provided by systems such as MFA. Since then, there have been some important developments.

In the cloud-hybrid world, organizations typically use many systems, with many different authentication protocols – and not all protocols are equally secure and easy to manage.

I have been working with customers for a while on the subject of finally sunsetting legacy protocols such as IMAP, POP and LDAP. These protocols can be used in a somewhat secure fashion in that they now support TLS, and therefore protect against eavesdropping. But usually they exist to support clients which do not support the most modern implementations – for example including Multi-Factor Authentication (MFA) – and therefore they represent a security risk.

A theoretical security risk? No!

Authentication protocols securityFor many clients, the risk presented by legacy protocols remained only a theoretical possibility. However, just after I delivered my Modern and Legacy Authentication in Hybrid Environments webinar (view recording on demand), a report from Proofpoint came to my attention.

In a six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. 

The report demonstrates that even when used in modern environments – in this case, with Microsoft Office 365 and Google G Suite – the common usage of legacy protocols is inherently insecure. This is specifically because of their inability to support MFA which leaves them vulnerable to password spray and password brute force attacks.

IMAP is the most commonly abused legacy protocol according to new report

As the report says:

In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that may be used to bypass multifactor authentication (MFA) under specific circumstances.

After all, if you have modern clients which can use the modern, secure variants of the legacy protocol, the same clients can probably use modern, secure protocols in the first place. Of course, we have to be pragmatic and recognise the need to support the clients that we have out there. But in the risk/reward evaluation we have to be realistic – and the path of least resistance is seldom secure – not for nothing is the CSO often known as “Dr. No”!

Further information