Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends

For Companies, Suppliers and Decision Makers in the IT Industry

Digital strategy and insights for decision-makers in the IT industry

Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Subscribe
Facebook Twitter Instagram LinkedIn Pinterest
Contact us

Cybercriminals adapt inbox rules to remain invisible and move data

IT industrybyIT industry
September 21, 2023
Email attack on the IT industry Email attack on the IT industry
Email attack on the IT industry

In a new study, Barracuda Networks researchers show how attackers can abuse inbox rules once they have gained access to an email account, avoiding detection while stealing information from a company’s network. This type of attack relies on victims not seeing security alerts – and the attacker archiving selected messages in discreet folders that the victim doesn’t notice.

The abuse of email inbox rules is a smart and effective tactic that happens covertly.

It is easy to implement once an attacker has gained access to an account, says Prebh Dev Singh, Head of Email Protection Product Management at Barracuda.

Although email detection tools have evolved and machine learning has made it easier to spot suspicious rules, Barracuda's study shows that cybercriminals continues to attack companies in this way. Manipulated regulations can therefore be a serious threat to their data and other assets.

Advertisement

"Because it's a technique used after an account has been taken over, it's a sure sign that you have an attacker on your network. This means immediate action is required to get them out," says Peter Graymon, head of Barracuda Networks in the Nordics.

Stolen from an e-mail account in Braschen
Stolen from an e-mail account in Braschen

Once an attacker has gained access to an email account, for example through phishing or by using stolen login credentials, they can set up one or more automated email rules that allow them to continue accessing the mailbox without being detected. This can be used for a variety of malicious purposes, including:

  • to steal information or money and delay detection. Attackers can set a rule to forward all emails containing sensitive and potentially lucrative keywords such as “payment,” “invoice,” or “confidential” to an external address.
  • to hide specific incoming emails such as security alerts by moving such messages to rarely used folders, marking emails as read, or simply deleting them.
  • to monitor the activities of the attacker and collect information about him (or the company) that can be used as part of further attacks.
  • for so-called CEO fraud (BEC), set up a rule that deletes all incoming emails from a specific colleague, such as the chief financial officer (CFO). This allows attackers to pretend to be the CFO and send fake emails to colleagues to convince them to transfer money to a bank account controlled by the attackers.

If the abused rule is not detected, it will continue to be in effect even if the victim's password is changed, or if multi-factor authentication is enabled, other strict conditional access policies are implemented, or the computer is rebuilt. As long as the rule remains in place, it risks becoming an effective tool for the attacker.

Read more here »

Share
Share
Pin it
Tweet
Share
Share
IT industrybyIT industry
Published

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
convendum banner
Advertisement

READ MORE