On 5 Jun 2020, at 05:26, Daniele Nicolodi via mailop <mailop@mailop.org> wrote: > I don't see the gain as the same attacks are possible over a different > protocol. I don't think that eliminating IMAP (and keeping SMTP > submission as far as I know) reduces the attack surface. Am I missing > something?
Very much so. For malware families like Emotet and friends, one of the attack vectors is to hoover up emails from mailboxes then use those as implant methods by 'replying' to them with malware droppers attached. In UK HE we've also seen some similar methods utilised in attacks designed to con browsers into giving up the access token they're currently using, so actually making use of moden auth techniques! Modern auth on IMAP and SMTP stops that pretty well dead, as does turning off authenticated SMTP (stopping the injection of content for outbound submission) and/or IMAP (for hoovering up the content in the first place). It's a very long game though, this one. Graeme _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop