Researchers at Barracuda describe how attackers use legitimate email inbox rules to control compromised accounts and evade detection.
“In order to create malicious email rules, the attackers need to have compromised a target account, for example, through a successful phishing email or by using stolen credentials seized in an earlier breach,” the researchers write.
“Once the attacker is in control of the victim’s email account – a type of attack known as an account takeover – they can set one or more automated email rules, a simple process that enables the attackers to maintain stealthy, persistent access to the mailbox – something they can use for a whole variety of malicious purposes.”
Inbox rules can be exploited to carry out further social engineering attacks using the compromised accounts.
“BEC attacks are all about convincing others that an email has come from a legitimate user, in order to defraud the company and its employees, customers, or partners,” the researchers write.
“Attackers could set a rule that deletes all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO). This allows the attackers to pretend to be the CFO, sending colleagues fake emails to convince them to transfer company funds to a bank account controlled by the attackers.”
Barracuda notes that these rules can give attackers access to emails even if they get locked out of the account.
“If the malicious rule isn’t spotted, it stays operational even if the victim's password is changed, they turn on multi-factor authentication, impose other strict conditional access policies, or their computer is completely rebuilt,” the researchers write.
“As long as the rule stays in place, it remains effective. Furthermore, even though suspicious email rules can be a good indication of an attack, just looking at them in isolation may not provide a strong enough signal that an account has been compromised.”
Barracuda has the story.