How Hackers Are Breaking Into Firms’ Emails

Attackers are exploiting old protocols to hack into Email accounts and impersonate accountants

Email inboxes are on the front-line for accounting firms and we’ve all seen unsolicited emails from colleagues or associates convincing us to click on nefarious links or attachments often triggering ransomware or other malware related incidents. In an unfortunate case recently a Far North Queensland firm sent infected emails causing damage to three clients and triggering a breach scenario under new legislation that was not covered by professional indemnity insurance.

Implementing federation integration to protect mailbox logins with multi-factor authentication, geographical restrictions and control access is the most critical measure to have in place however legacy mailbox protocols are still being left open for scan to email functions, legacy mobile access and other applications are continuing to expose even the most security-conscious firms.  

Our goal is to arm accountants with the knowledge required to reduce their exposure to data breach and maintain control of company and client information.  


SMTP POP and IMAP are legacy protocols that make it possible for an account to be accessed from multiple devices. They were often used by desktop email clients to retrieve email from the email server. The issue is that these protocols do not support multi-factor authentication and leave a back door for hackers to access mailboxes even when a firm has controls in place to control user access. 

These protocols are left on by default on Office 365 and attackers are exploiting the fact that administrators are leaving SMTP/POP/IMAP on to facilitate legacy mobile email access and office scan-to-email functions 

How do they exploit these old protocols?

The hackers target firms using methods such as password spraying, until they eventually find an Office 365 account with a weak password and can break through. As these old protocols don’t support MFA there is no extra security step to protect the firm.

Password-spraying attacks are performed by using a large number of usernames and combining them with a single password. Unlike brute-forcing attacks (one username / many password variations), password-spraying attacks avoid account lock-out setting off alarms because they look like isolated failed logins.

Hackers also exploit these protocols using the same old fashioned methods some companies use to get your data. Hackers will check your Google indexing and also scrape email addresses from firms’ websites under the ‘Meet the Team’ page.

Disable legacy mailbox protocols

Modern Outlook mobile connections no longer use the IMAP/SMTP/POP protocols, these protocols should be disabled in your mail admin console. We have a guide on how to disable these protocols on our support site here.

Remove staff email addresses from company website

We also recommend removing direct staff email addresses from your website and instead have a Contact Us form or a generic address that is an email group or shared mailbox to protect individual email addresses.

Where to get help

For free assistance on implementing these measures, our clients can contact their Practice Protect customer success team member.

Categorised in: Blog

This post was written by Practice Protect