Learn like a Baby - Important Update to BAV2ROPC downgrade attacks for bypassing MFA - 4

raja maniraja mani
3 min read

Table of contents

History

BAV2ROPC stands for 'Basic Authentication Version 2 Resource Owner Password Credential' and is commonly used by old email apps such as iOS Mail. It is often seen in SaaS/email account compromises where accounts have 'legacy authentication' enabled. This is because, even if trust is activated, legacy protocols like IMAP/POP3 are not configured for MFA and so do not result in an MFA notification being sent.

Historically many attacks happened to bypass MFA by performing authentication downgrade

DarkTrace attack writeup 2022

UPDATE

Google

Google Suite and Legacy Authentication: A Complex Landscape

https://support.google.com/a/answer/14114704?hl=en

As of now, Google Suite (now known as Google Workspace) is phasing out support for legacy authentication methods like IMAP.

While it's still technically possible to use IMAP in some cases, Google is strongly encouraging users to transition to more secure authentication methods.

Key Points:

  • Gradual Phase-Out: Google has been gradually restricting access to less secure apps, including those using IMAP.

  • App Passwords: For a transitional period, app passwords might be used as a workaround, but this is not a long-term solution.

  • OAuth 2.0: Google is promoting OAuth 2.0 as the preferred authentication method for enhanced security.

As of Summer of 2024:

  • If you (or your users) try to connect to a less secure app for the first time, you will not be able to. This restriction includes third-party apps that still use basic authentication, such as CalDAV, CardDAV, IMAP, SMTP, and POP, to access Gmail, Google Calendar, and Contacts. If you’re not trying to connect for the first time, you will be able to continue using the apps until they’re turned off.

  • In the Google Admin console, you will not be able to access the turn on and off setting for less secure apps.

  • Users will not be able to turn IMAP on or off in their Gmail settings.

Microsoft

Deprecation of Basic authentication in Exchange Online

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

What we are changing?

We removed the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac.

We also disabled SMTP AUTH in all tenants where it wasn't being used.

This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multifactor authentication (MFA) is also simple with Modern authentication.

0
Subscribe to my newsletter

Read articles from raja mani directly inside your inbox. Subscribe to the newsletter, and don't miss out.

MFA-Bypasspassword sprayingOAuth 2.0cloud securitycybersecurityinformation security

Written by

raja mani
raja mani

✨🌟💫Threat Hunter 💫🌟✨