IMAP Security Issues – Is this Legacy Email Protocol Leaving You Vulnerable?

From time to time, a cyber security issue pops up that no one sees coming. That’s the case with the IMAP security problem that’s recently come to light. As a managed service provider, Aeko stays on top of cyber security and IT changes so you don’t have to. Rest assured that we are already addressing this issue for our clients. 

What Is IMAP?

IMAP stands for internal message access protocol. It is one of the “legacy email protocols” and has been around since the 1980s. It replaced post office protocol (POP) primarily because it is more versatile. 

When you download your email via POP, you can only access your emails from the device you are working on. If you get a new computer or other device, you will not find the same emails, only new ones.

When you use IMAP, the emails are  installed on a server that can be accessed anytime from any device: computer, tablet, smartphone, etc.

The IMAP Security Issue

Cybercriminals have found a method to hack IMAP with an email appender. That means that they can get into your email without you knowing it, even if you have firewalls and other protection methods. IMAP also doesn’t support multi-factor authentication (MFA) so, if it is enabled, MFA is not being used to protect your mailbox.

But they can’t do it without the victim’s email credentials, which is one of the reasons it is so important to protect any credentials that are connected to you or your company. See the Aeko Password Management Guide for tips.

Using IMAP can circumvent all your security measures. So, until the industry comes up with a solid solution, the best choice is to disable IMAP entirely. If it is not able to be disabled for some reason, change to use Port 993, NOT 143.

Most managed service providers such as Aeko will train your employees on how to avoid this kind of hacking and also make sure your IMAP is disabled.

If you don’t have an MSP dedicated to securing your resources or just want to explore this issue for your company, contact us or book a meeting for a free, no-pressure consultation.