IMAP Protocol in Office 365 bypasses MFA

Recently saw this article mention IMAP attacks against Office365 mailboxes due to IMAP bypassing MFA rules:

https://www.bleepingcomputer.com/news/security/multi-factor-auth-bypassed-in-office-365-and-g-suite-imap-attacks/

My suggestion is to bulk disable IMAP and POP of your organization doesn’t use them. You can use Powershell to disable these protocols en-bulk in seconds, however if your firm is larger, make sure those protocols aren’t in use first by various systems, especially IMAP.

You may also want to look at Activesync and OWA as well, not every mailbox likely needs those as well, especially system mailboxes.

Gets all IMAP enabled mailboxes
get-casmailbox | ? imapenabled -eq $true

Gets all IMAP enabled mailboxes and disables it

get-casmailbox | ? imapenabled -eq $true | set-casmailbox -imapenabled $false

Gets all POP enabled mailboxes

get-casmailbox | ? popenabled -eq $true

Gets all POP enabled mailboxes and disables it

get-casmailbox | ? popenabled -eq $true | set-casmailbox -popenabled $false

Edit: Heres another article about how to set defaults for the protocols. Remember to disable OWAforDevices if you don’t allow the Outlook IOS/Android app.

https://community.spiceworks.com/how_to/152329-setting-the-default-email-protocols-in-office-365

You can disable OWAforDevices for existing users using the same set-casmailbox cmdlet:

get-casmailbox | ? owafordevicesenabled -eq $true | set-casmailbox -OWAforDevicesEnabled $false