Disabling IMAP and POP in Office 365

During the past weeks there’s been numerous reports about an increase in malicious users attacking Office 365 utilizing legacy protocols such as IMAP4 and POP3. The vulnerability in these protocols is that they do not support MFA and will allow login with only username and password even if the account has MFA enabled.

You’ll find Proofpoint’s report on the issue here: https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols

For some reason these legacy protocols are enabled by default and unless your organization has done something to mitigate this, your users may be at risk. With the increasing adoption of MFA this is a security flaw that may be easy to overlook. Hopefully Microsoft will address this, but in the meantime this is how you can disable POP and IMAP for future mailboxes being created as well as mailboxes already created in Exchange Online.

Option for Azure AD Premium

If you have Azure AD Premium P1 for all your users, POP and IMAP can be blocked using conditional access. This will give you a more granular set of options, check out the post here.

Ensure future mailboxes are created with IMAP and POP disabled

When a new mailbox is created the settings of that mailbox is gathered from the CASMailboxPlan. You can easily check and modify your CASMailboxPlan using PowerShell.

Check your current settings

#Connect to Exchange Online before running this
Get-CASMailboxPlan | ft DisplayName,ImapEnabled,PopEnabled

Disabled POP and IMAP in all plans

#Connect to Exchange Online before running this
Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false


After making this change you can verify that this works as expected by creating a new mailbox. In ECP (Mailbox properties -> Mailbox features) you’ll see that IMAP and POP are both disabled.

A user created before applying this policy will most likely have both protocols enabled.


Disable IMAP and POP for existing mailboxes

While the fix above applies to mailboxes created in the future, existing mailboxes will still be vulnerable. To fix this you can run the script below.

#Connect to Exchange Online before running this

#Get all mailboxes that have IMAP or POP enabled
$Mailboxes = Get-CASMailbox -Filter {(ImapEnabled -eq $true) -or (PopEnabled -eq $true)}

Write-Host Processing $Mailboxes.Count users:

foreach ($Mailbox in $Mailboxes) {

Write-Host Processing: $Mailbox -ForegroundColor Yellow

#Disable POP if enabled
if ($Mailbox.PopEnabled -eq $true) {
Write-Host POP3 active, disabling... -NoNewline -ForegroundColor Red
Set-CASMailbox $Mailbox.PrimarySmtpAddress -PopEnabled $false
Write-Host Done. -ForegroundColor Green
}
else {Write-Host POP3 already disabled. -ForegroundColor Green}

Disable IMAP if enabled
if ($Mailbox.ImapEnabled -eq $true) {
Write-Host IMAP active, disabling... -NoNewline -ForegroundColor Red
Set-CASMailbox $Mailbox.PrimarySmtpAddress -ImapEnabled $false
Write-Host Done. -ForegroundColor Green
}
else {Write-Host IMAP already disabled. -ForegroundColor Green}

}
Output provided by the script.

That should be if, the script can be re-run to verify, if it returns “Processing 0 users” no mailboxes with IMAP or POP enabled exist in your Office 365 tenant.

If you have legacy applications that communicate with Exchange Online mailboxes using POP3 or IMAP you may need to re-enable one of the protocols (at least temporary), this can be done by running one of the following commands:

#Connect to Exchange Online before running this

#Enable POP for a single mailbox
Set-CASMailbox user@technut.se -PopEnabled $True

#Enable IMAP for a single mailbox
Set-CASMailbox user@technut.se -ImapEnabled $True



Leave a Reply

Your email address will not be published. Required fields are marked *