Attackers exploit inbox rules to avoid detection

New research shows that if an attacker has compromised an email account they can use inbox rules to hide in plain sight while they quietly move information out of your network via your inbox and hide security warnings.

The report from Barracuda reveals techniques including setting a rule to forward to an external address all emails containing sensitive and potentially lucrative key words such as 'payment' or 'confidential' to steal information or money.

"The abuse of email inbox rules is a brilliantly effective attack tactic that provides stealth and is easy to implement once an attacker has compromised an account," says Prebh Dev Singh, manager, email protection product management at Barracuda. "Even though email detection has advanced over the years, and the use of machine learning has made it easier to spot suspicious rule creation -- our detection numbers show that attackers continue to implement this technique with success. Malicious rule creation poses a serious threat to the integrity of an organisation's data and assets. Because it is a post-compromise technique, it's a sign that that attackers are already in your network. Immediate action is required to get them out."

For business email compromise (BEC) attacks, setting set a rule that deletes all inbound emails from a certain colleague, such as the chief finance officer (CFO). This allows the attackers to pretend to be the CFO, sending colleagues fake emails to convince them to transfer company funds to a bank account controlled by the attackers.

The worryingly clever part of this is that If the malicious rule isn't spotted, it stays operational even if the victim's password is changed, they turn on multi-factor authentication, impose other strict conditional access policies, or their computer is completely rebuilt. As long as the rule stays in place, it remains effective.

You can read more on the research findings on the Barracuda blog.

Photo credit: TijanaM / Shutterstock