First of all, why disable IMAP or POP? Two reasons:
- IMAP and POP are less secure mail protocols that are now around 30 years old.
- In our experience, IMAP and POP is seldom used for legitimate purposes. In almost every breach we’ve discovered, the attackers have used IMAP or POP protocols to download user mailboxes to another device.
If you’re looking for instances of unauthorised IMAP or POP access in your mailboxes, I recommend you also run this script. Typically hackers will log into user mailboxes from an unexpected location. This script runs each IP address used to login to your tenant against an IP locator API. It then exports a list of unique IP addresses, their location and the user agent of the device that was logging in. The IMAP entries will usually display in the list with a user agent of CBAInProd.
In the above record from the Office 365 Unified Audit Log, an unauthorized user is accessing an account from an IP located in China.
You can confirm this by searching the Unified Audit Log for ‘MailboxLogin’ Operations, then filtering by that IP address.
In order to prevent attackers from downloading all of your user data in this way, you can disable IMAP and POP for all users via PowerShell.
There are two parts to this – you’ll want to disable it for all existing mailboxes as well as all future mailboxes.
If you already have a connection to Exchange Online via PowerShell, you can copy and paste the following cmdlets, otherwise you can use the scripts further down.
Disabling IMAP and POP for all future mailboxes
| 1 | Get-CASMailboxPlan-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} | set-CASMailboxPlan-ImapEnabled$false-PopEnabled$false |
Disabling IMAP and POP for all existing mailboxes
| 1 | Get-CASMailbox-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} | Select-Object@{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox-ImapEnabled$false-PopEnabled$false |
The following scripts will take care of the whole operation for you. The first one will disable POP and IMAP for a single Office 365 tenant. The second script is for Microsoft Partners and will disable IMAP and POP for all mailboxes in all customer tenants. Note that these scripts do not work with MFA on the admin account.
How to run these scripts to disable IMAP and POP in Office 365 via PowerShell
- Double click on either of the scripts below to select it all
- Copy and paste it into Visual Studio Code and save it as a .ps1 file
- To allow these scripts to work with an MFA enabled account, you may need to whitelist your current static IP for MFA.
- Run it by pressing F5
- Enter the credentials of an Office 365 global admin, Exchange admin or delegated administrator
- Wait for the script to complete. If you’re running this across a number of tenants, you’ll probably be waiting a while.
How to disable IMAP and POP in a single Office 365 tenant via PowerShell
| 12345678910111213141516171819202122232425 | $credential= Get-Credential$Session= New-PSSession-ConnectionUrihttps://outlook.office365.com/powershell-liveid/ ` -ConfigurationNameMicrosoft.Exchange-Credential$credential` -AuthenticationBasic-AllowRedirectionImport-PSSession$Session-CommandNameGet-CASMailbox, Set-CasMailbox, Get-Casmailboxplan, set-casmailboxplan, Get-OrganizationConfigWrite-Host"Attempting IMAP and POP operations on $((Get-OrganizationConfig).DisplayName)"-ForegroundColorYellow Write-Host"Disabling IMAP and POP for future mailboxes"-ForegroundColorDarkYellowGet-CASMailboxPlan-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} | set-CASMailboxPlan-ImapEnabled$false-PopEnabled$false$confirmPlans= Get-CASMailboxPlan-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"}if(!$confirmPlans) { Write-Host"IMAP and POP disabled for all future mailboxes"-ForegroundColorGreen}else{ Write-Host"IMAP and POP not disabled for all existing mailboxes"-ForegroundColorRed}Write-Host"Disabling IMAP and POP on all existing mailboxes"-ForegroundColorDarkYellowGet-CASMailbox-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} | Select-Object@{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox-ImapEnabled$false-PopEnabled$false$confirmMailboxes= Get-CASMailbox-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"}if(!$confirmMailboxes) { Write-Host"IMAP and POP disabled on all existing mailboxes`n"-ForegroundColorGreen} Remove-PSSession$Session |
How to disable IMAP and POP in all customer Office 365 tenants via PowerShell
| 1234567891011121314151617181920212223242526272829303132 | $credential= Get-CredentialConnect-MsolService-Credential$credential$customers= Get-MsolPartnerContract-Allforeach($customerin$customers) { Write-Host"Attempting IMAP and POP operations on $($customer.name)"-ForegroundColorYellow $InitialDomain= Get-MsolDomain-TenantId$customer.TenantId | Where-Object{$_.IsInitial} $DelegatedOrgURL= "https://outlook.office365.com/powershell-liveid?DelegatedOrg="+ $InitialDomain.Name $EXODS= New-PSSession-ConnectionUri$DelegatedOrgURL-Credential$credential-AuthenticationBasic-ConfigurationNameMicrosoft.Exchange-AllowRedirection Import-PSSession$EXODS-CommandNameGet-CASMailbox, Set-CasMailbox, Get-Casmailboxplan, set-casmailboxplan Write-Host"Disabling IMAP and POP for future mailboxes"-ForegroundColorDarkYellow Get-CASMailboxPlan-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} | set-CASMailboxPlan-ImapEnabled$false-PopEnabled$false $confirmPlans= Get-CASMailboxPlan-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} if(!$confirmPlans) { Write-Host"IMAP and POP disabled for all future mailboxes"-ForegroundColorGreen } else{ Write-Host"IMAP and POP not disabled for all existing mailboxes"-ForegroundColorRed } Write-Host"Disabling IMAP and POP on all existing mailboxes"-ForegroundColorDarkYellow Get-CASMailbox-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} | Select-Object@{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox-ImapEnabled$false-PopEnabled$false $confirmMailboxes= Get-CASMailbox-Filter{ImapEnabled -eq"true"-orPopEnabled -eq"true"} if(!$confirmMailboxes) { Write-Host"IMAP and POP disabled on all existing mailboxes`n"-ForegroundColorGreen } Remove-PSSession$EXODS} |