Attackers use advanced control techniques to deceive.
Abnormal Security research shows that despite the proliferation of multi-factor authentication (MFA) and conditional access (CA), the number of successful attacks on corporate e-mail accounts is increasing.
Therefore, legacy e-mail protocols (IMAP, SMTP, MAPI, POP) are the goosebumps that do not support MFA. In addition, of course, companies that do not use state-of-the-art control techniques are at fault.
The best technique for hackers to crack accounts is to switch to an inherited application after blocking MFA, as they know that in most places such applications are also reserved in case the use of MFA would be hampered.
Abnormal has also documented successful attacks in which the hacker played out security rules by hiding the name of the application he used. In one case, an attacker first tried to log in with an inherited application, but this was blocked by the CA. The cybercriminal then waited a few days and then tried again, but this time hiding the application information and thus successfully accessing the account.
This case is a good example of the fact that, although most attacks against user accounts are of a brute force nature, ie based on full testing, some attackers also use more sophisticated and cunning techniques, which are also worth preparing for.