TAs leverage legacy email protocols to bypass MFA

An interesting article by ProofPoint. This has been a weakness in many MFA architectures particularly email for a long time now, where application specific passwords have been used to mitigate the threat.

Hopefully we will see some innovation in authentication schemes for legacy protocols, but it might not be easy due to inherent protocol limitations.

This underlines the importance of:

  • MFA access to external non-VPN email (e.g. OWA) through controlled access routes
  • Removing Internet facing legacy email services such as POP3 and IMAP
  • IDS systems on your perimeter network
  • In house or outsourced SOCs 24×7

See https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols