Is MFA enforced on email accounts — including any legacy mail clients / IMAP / SMTP auth?
Demonstrate that MFA is enforced for all email account access methods, including legacy authentication protocols, preventing credential-only access to organizational email.
Description
What this control does
This control ensures that multi-factor authentication (MFA) is enforced on all email accounts, including access via legacy protocols such as IMAP, POP3, and SMTP authentication. Legacy mail clients often use basic authentication without session-based security controls, creating credential theft exposure. Organizations must configure email systems to block or upgrade legacy authentication methods to modern authentication flows that support MFA, or implement conditional access policies that mandate MFA even for protocol-based authentication.
Control objective
What auditing this proves
Demonstrate that MFA is enforced for all email account access methods, including legacy authentication protocols, preventing credential-only access to organizational email.
Associated risks
Risks this control addresses
- Credential stuffing attacks succeed against email accounts using only username and password via IMAP or SMTP
- Phished credentials provide persistent email access through legacy mail clients bypassing MFA controls
- Compromised service accounts authenticate to email via application passwords or basic auth without second factor verification
- Attackers exfiltrate email data through unmonitored legacy protocol sessions that evade modern security telemetry
- Lateral movement occurs when stolen credentials authenticate to email systems that federate or link to other enterprise resources
- Business email compromise (BEC) attacks leverage legacy protocol access to establish persistence and monitoring outside primary webmail interfaces
- Automated malware establishes command-and-control channels through SMTP authentication that bypasses MFA enforcement
Testing procedure
How an auditor verifies this control
- Inventory all email access methods enabled in the environment, including webmail, mobile apps, IMAP, POP3, SMTP, Exchange ActiveSync, and any documented legacy clients.
- Obtain authentication policy configurations from the email system (e.g., Exchange Online authentication policies, Google Workspace security settings, on-premises Exchange authentication rules).
- Review conditional access policies or authentication policies to identify whether legacy authentication protocols are blocked, disabled, or subject to MFA enforcement.
- Select a sample of 10-15 active user accounts across different roles and departments for testing.
- Attempt to authenticate to email via an IMAP client using correct credentials without providing a second factor (test account or isolated test environment) to verify blocking behavior.
- Review authentication logs for the sampled accounts over the past 30 days to identify any successful authentications using legacy protocols and verify MFA was enforced or access was denied.
- Interview IT administrators to confirm processes for onboarding users, provisioning MFA, and handling exceptions for legacy protocol requirements.
- Validate that any documented exceptions (service accounts, approved devices) have compensating controls such as IP restrictions, certificate-based authentication, or app passwords with MFA enrollment.