Hidden intruders in the email inbox
Once attackers have compromised an email account, they can abuse inbox rules to disguise further attacks by, for example, sneaking information out of the network unnoticed via forwarding, ensuring that the victim does not see security alerts, and deleting certain messages.
Even though email security has evolved and the use of machine learning has made it easier to detect suspicious inbox rule creations, attackers continue to use this technique successfully. Because it requires a compromised account, the overall numbers of this threat are probably low. Nevertheless, it poses a serious threat to the integrity of an organization's data and assets - not least because an attacker's rule creation is a post-compromise technique, meaning it is already on the network and requires immediate countermeasures.
Below, we highlight how attackers abuse automated email rules and how organizations can effectively protect themselves.
Email is a primary attack vector
Email-based attacks have a high success rate and are a common entry point for many other cyberattacks. A study by Barracuda found that 75 percent of organizations surveyed globally have experienced at least one security breach via email in 2022. These attacks range from simple phishing attacks and malicious links or attachments to sophisticated social engineering techniques such as business email compromise (BEC), conversation hijacking and account takeover. Some of the most advanced types involve malicious email rules.
How attackers create automated email rules
To create malicious email rules, attackers must have compromised a target account, for example, through a successful phishing email or using stolen credentials captured in a previous intrusion. Once the attacker has gained control of the victim's email account, they can set up one or more automated email rules.
Email rules for information theft and camouflage
Attackers can set up a rule to forward all emails with sensitive and potentially lucrative keywords such as "payment," "invoice," or "confidential" to an external address. Furthermore, they can also abuse email rules to hide certain incoming emails by moving these messages to rarely used folders, marking emails as read or simply deleting them. For example, to hide security alerts, command-and-control messages, or responses to internal spear-phishing emails sent from the compromised account, or to cover their tracks from the account owner, who is likely using the account at the same time without knowing about the intruders. In addition, attackers can also abuse email forwarding rules to monitor a victim's activities and gather information about the victim or the victim's organization to use it for further attacks or operations.
Using email rules for BEC attacks
In business email compromise (BEC) attacks, cybercriminals try to convince their victims that an email is from a legitimate user in order to defraud the company and its employees, customers, or partners. For example, attackers can set up a rule that deletes all incoming emails from a specific employee or supervisor, such as the chief finance officer (CFO). In this way, criminals can impersonate the CFO and send fake emails to employees to convince them to transfer company funds to a bank account controlled by the attackers.
In November 2020, the FBI published a story about how cybercriminals are exploiting the lack of synchronization and security transparency between web-based and desktop email clients to set email forwarding rules, increasing the likelihood of a successful BEC attack.
Use of email rules in targeted nation-state attacks
Malicious email rules are also used in targeted nation-state attacks. The Framework of Adversary Tactics and Techniques called MITRE ATT&CK cites three APTs (Advanced Persistent Threat Groups) that use the malicious email forwarding technique (T1114.003). They are Kimsuky, a nation-state cyber espionage threat group, LAPSUS$, known for its extortion and disruption attacks, and Silent Librarian, another nation-state group associated with intellectual property theft and research.
MITRE classifies email hiding rules (T1564.008) as a technique used to circumvent security defenses. One APT known to use this technique is FIN4, a financially motivated threat actor that creates rules in victims' accounts to automatically delete emails containing words such as "hacked," "phish," and "malware," likely to prevent the victim's IT team from notifying employees and others of their activities.
Safety measures that do not work alone
If a malicious rule is not detected, it remains in effect even if the victim's password is changed, multi-level authentication is enabled, other strict conditional access policies are implemented, or the computer is completely rebuilt. As long as the rule remains in effect, it remains effective.
Although suspicious email rules can be a good indication of an attack, looking at them in isolation is not a sufficient signal that an account has been compromised. Defenses must therefore use multiple signals to reduce irrelevant information and alert the security team to a likely successful email attack. The dynamic and evolving nature of cyberattacks, including the use of sophisticated tactics by attackers, requires a multi-layered approach to detection and defense.
Effective defense measures
Because inbox rule creation is a post-compromise technique, the most effective protection is prevention - preventing attackers from hijacking the account in the first place. However, organizations also need effective incident detection and response measures to identify accounts under attack and mitigate the impact of those attacks. This includes complete visibility into all actions taken on each employee's inbox and what rules are created, what was changed or accessed, the user's login history, the time, location and context of emails sent, and more. Advanced AI-based email security solutions use this data to create an intelligent account profile for each user, instantly flagging any anomaly, no matter how small. An identity theft protection feature also uses multiple signals such as credentials, email data, and statistical models along with rules to detect an account takeover attack.
Finally, extended detection and response (XDR) and 24/7 monitoring by a security operations center (SOC), can help detect and neutralize even deeply hidden and obfuscated activity. Abusing inbox rules is one of the most perfidious tactics used by cybercriminals. However, with the above measures, organizations can adequately defend against this threat to protect their sensitive data and assets.