In a new study, Barracuda Networks researchers show how attackers can abuse inbox rules once they have gained access to an email account. In this way, they avoid detection while stealing information from the company's network. That type of attack is based on the victims not seeing security warnings - and the attacker archiving selected messages in discreet folders that the attacked does not notice.
Abusing email inbox rules is a smart and effective stealth tactic.
It is easy to execute once an attacker has gained access to an account, says Prebh Dev Singh, Head of Email Protection Product Management at Barracuda.
Although email detection tools have evolved and machine learning has made it easier to detect suspicious rules, Barracuda's study shows that cybercriminals continue to target businesses in this way. Manipulated rules can therefore be a serious threat to their data and other assets.
Since it is a technique used after an account has been taken over, it is a sure sign that you have an attacker in your network. This means that immediate measures are required to get them out, says Peter Graymon, responsible for Barracuda Networks in the Nordics.
Once an attacker gains access to an email account, for example through phishing or by using stolen credentials, they can set up one or more automated email rules that allow them to continue to access the mailbox undetected. It can be used for a variety of malicious purposes, including:
- to steal information or money and delay detection. The attackers can set a rule to forward all emails containing sensitive and potentially lucrative keywords such as "payment", "invoice" or "confidential" to an external address.
- to hide specific incoming emails such as security alerts by moving such messages to rarely used folders, marking emails as read or simply deleting them.
- to monitor the activities of the victim and collect information about him (or the company) that can be used as part of further attacks.
- for so-called CEO frauds (BEC), set up a rule that deletes all incoming emails from a specific colleague, such as the Chief Financial Officer (CFO). It allows the attackers to pretend to be the CFO and send fake emails to colleagues to convince them to transfer money to a bank account controlled by the attackers.
If the abused rule is not detected, it continues to apply even if the victim's password is changed or if multi-factor authentication is enabled, other strict conditional access policies are implemented, or the computer is rebuilt. As long as the rule remains in place, it risks becoming an effective tool for the attacker.
Read more here"