Multifactor authentication (MFA) is widely regarded as a strong measure for protecting against account takeover attacks. But as with almost any security control, adversaries have devised several ways to bypass it.
Researchers from Abnormal Security this week reported observing a recent increase in attacks where threat actors used legacy apps with old email protocols, such as IMAP, SMTP, and POP, to access and take over business email accounts protected with MFA.
In these attacks, a threat actor who might have obtained the username and password to an MFA-protected email account — via a paste site, for instance — would access the account by signing in from a legacy app that does not enforce MFA. One example is an email client like MailBird, which allows Gmail to be set up via IMAP, says Erin Lundert, data scientist at Abnormal Security.