A new Threat Spotlight by Barracuda researchers shows how attackers can misuse inbox rules in a successfully compromised account to evade detection while they among other things quietly move information out of the corporate network via the breached inbox.
Not only this, but attacks can also ensure that the victims don't see security warnings, file selected messages in obscure folders so the victim wont easily find them or delete messages from the senior executive they are pretending to be in an attempt to extract money.
"The abuse of email inbox rules is a brilliantly effective attack tactic that provides stealth and is easy to implement once an attacker has compromised an account," says Prebh Dev Singh, Manager, Email Protection Product Management at Barracuda.
"Even though email detection has advanced over the years, and the use of machine learning has made it easier to spot suspicious rule creation our detection numbers show that attackers continue to implement this technique with success," he says.
"Malicious rule creation poses a serious threat to the integrity of an organisations data and assets. Because it is a post-compromise technique, its a sign that that attackers are already in your network. Immediate action is required to get them out."
Once an attacker has compromised a victims email account, for example by phishing or using stolen credentials, they can set one or more automated email rules to maintain stealthy, persistent access to the mailbox something they can use for a whole variety of malicious purposes, including:
- To steal information or money, and delay detection.The attackers might set a rule to forward to an external address all emails containing sensitive and potentially lucrative key words such as payment, invoice, or confidential.
- To hide specific inbound emails such as security alerts or command-and-control communications by moving such messages to rarely used folders, marking emails as read, or simply deleting them.
- To monitor the activities of a victim and collect intelligence on the victim or the victims organisation to use as part of further exploits or operations.
- For business email compromise (BEC) attacks, setting set a rule that deletes all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO). This allows the attackers to pretend to be the CFO, sending colleagues fake emails to convince them to transfer company funds to a bank account controlled by the attackers.
If the malicious rule isn't spotted, it stays operational even if the victim's password is changed, they turn on multi-factor authentication, impose other strict conditional access policies, or their computer is completely rebuilt. As long as the rule stays in place, it remains effective.
Effective defences against malicious email inbox rules
The most effective protection is prevention stopping attackers from being able to compromise the account in the first place.
You also need effective detection and incident response measures in place to identify breached accounts and mitigate the impact. This includes having full visibility of every action being taken in every employees inbox, what rules are created, whats been modified or accessed, the users logon history, the time and location and context of emails sent, and more.
AI-based protection uses such data to create an intelligent account profile for each user and any anomalies, however subtle, are immediately flagged for attention.
Impersonation Protection uses multiple signals such as login data, emails data, and statistical models along with rules to identify an account takeover attack.
Finally, extended detection and response (XDR) measures, including Barracudas XDR Cloud Security and 24/7 monitoring by a security operations centre (SOC) can help to ensure even deeply hidden and obfuscated activity is spotted and neutralised.