Automated email inbox rules are a useful and familiar feature of most email programs. They help manage your inbox and the daily flood of wanted and unwanted messages by allowing you to move emails to specific folders, forward them to colleagues when you're away, or delete them automatically.
However, once an account has been compromised, attackers can abuse inbox rules to disguise further attacks, for example by secretly exfiltrating information from the network via forwarding, ensuring that the victim does not see security warnings, and deleting certain messages.
Email as a primary attack vector
Although email security has evolved and the use of machine learning has made it easier to detect suspicious inbox rule creations, attackers continue to use this technique successfully. Since this requires a compromised account, the overall numbers of this threat are likely low, but it still poses a serious threat to the integrity of an organization's data and assets - not least because rule creation by an attacker is a technique The compromise occurs, meaning it is already on the network and immediate countermeasures are required.
Email-based attacks have a high success rate and are a common entry point for many other cyberattacks. Barracuda research found that 75 percent of companies surveyed worldwide experienced at least one email security breach in 2022. These attacks range from simple phishing attacks and malicious links or attachments to sophisticated social engineering techniques such as Business Email Compromise (BEC), Conversation Hijacking and Account Takeover. Some of the most advanced types are associated with malicious email rules.
Automated email rules
To create malicious email rules, attackers must have compromised a target account, for example through a successful phishing email or using stolen credentials obtained in a previous breach. Once the attacker gains control of the victim's email account, they can set up one or more automated email rules.
Attackers can set up a rule to forward all emails with sensitive and potentially lucrative keywords such as “payment,” “invoice,” or “confidential” to an external address. Furthermore, they can also abuse email rules to hide certain incoming emails by moving these messages to rarely used folders, marking emails as read, or simply deleting them. For example, to hide security alerts, command-and-control messages, or replies to internal spear-phishing emails sent from the compromised account, or to cover their tracks from the account owner who is likely to use the account used at the same time without knowing about the intruders. Additionally, attackers can also abuse email forwarding rules to monitor a victim's activities and collect information about the victim or the victim's organization to use in further attacks or operations.
BEC (Business Email Compromise) attacks
In BEC attacks, cybercriminals attempt to convince their victims that an email is from a legitimate user in order to defraud the company and its employees, customers or partners. For example, attackers can set up a rule that deletes all incoming emails from a specific employee or manager, such as the Chief Finance Officer (CFO). This allows criminals to impersonate a CFO and send fake emails to employees to convince them to transfer company funds to a bank account controlled by the attackers.
In November 2020, the FBI released a report on how cybercriminals are exploiting the lack of synchronization and security visibility between web-based and desktop email clients to set email routing rules, increasing the likelihood of a successful BEC attack .
Nation-state email attacks
Malicious email rules are also used in targeted nation-state attacks. The MITER ATT&CK® Framework of Adversary Tactics and Techniques names three APTs (Advanced Persistent Threat Groups) that use the malicious email forwarding technique (T1114.003). These are Kimsuky, a nation-state cyber espionage threat group, LAPSUS$, known for its extortion and disruption attacks, and Silent Librarian, another nation-state group linked to the theft of intellectual property and research.
MITER classifies email hiding rules (T1564.008) as a technique used to bypass security defenses. One APT known to use this technique is FIN4, a financially motivated threat actor that creates rules in victims' accounts to automatically delete emails that contain words like "hacked," "phish," and Contain “malware,” likely to prevent the victim’s IT team from informing employees and others about their activities.
Ineffective security measures
If a malicious rule is not detected, it will remain in effect even if the victim's password is changed, multi-factor authentication is enabled, other strict conditional access policies are implemented, or the computer is completely rebuilt. As long as the rule remains in effect, it remains effective.
While suspicious email rules can be a good indication of an attack, looking at these rules in isolation is not a sufficient signal that an account has been compromised. Defenses must therefore use multiple signals to reduce irrelevant information and alert the security team to a likely successful email attack. The dynamic and evolving nature of cyberattacks, including the use of sophisticated tactics by attackers, requires a multi-layered approach to detection and response.
Effective defense measures
Since creating inbox rules is a post-compromise technique, the most effective protection is prevention, i.e. preventing attackers from hijacking the account in the first place. However, organizations also need effective incident detection and response measures to identify compromised accounts and mitigate the impact of these attacks. This includes complete visibility into all actions taken in each employee's inbox and what rules are created, what was changed or accessed, the user's login history, the time, location and context of emails sent, and much more. Advanced AI-based email security solutions use this data to create an intelligent account profile for each user, instantly flagging any anomaly, no matter how small. Identity theft protection also uses multiple signals such as login credentials, email data, and statistical models along with rules to detect an account takeover attack.
Finally, extended detection and response (XDR) and 24/7 monitoring by a security operations center (SOC) can help ensure that even deeply hidden and obfuscated activities are detected and neutralized. Abusing inbox rules is one of the most perfidious tactics used by cybercriminals. However, with the above measures, companies can adequately defend themselves against this threat to protect their sensitive data and assets.
More at Barracuda.com
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.