Threat Spotlight: How attackers use inbox rules to evade detection after compromise

From our sponsorAutomated email inbox rules are a useful and familiar feature of most email clients. They help people manage their inboxes and the daily flood of wanted and unwanted communications by enabling them to move emails to specific folders, forward them to colleagues while they’re away, or simply delete them.

If attackers have compromised your account, they can use inbox rules to hide in plain sight while they — among other things — quietly move information out of the network via your inbox, ensure that you don’t see security warnings, file selected messages in obscure folders so you won’t easily find them, or delete messages from the senior executive they are pretending to be in an attempt to extract money.

In short, this is an absolutely brilliant attack tactic that provides stealth and is easy to implement on a compromised account.

Email detection has advanced over the years, and the use of machine learning has made it easier to spot suspicious rule creation — but as Barracuda’s detection numbers show, attackers continue to implement this technique with success. Because the technique requires a compromised account, the overall numbers may be relatively low. However, it still poses a serious threat to the integrity of an organization’s data and assets — not least because rule creation is a post-compromise technique. This means that attackers are already in your network. Immediate action is required to get them out.

We believe it is important to understand the risk and how to respond to it. This blog post explores how attackers use automated email rules for malicious activity, the defensive measures that don’t work, and the ones that do.

Email is a primary attack vector

Email-borne attacks have a high success rate, and they provide a common entry point for many other cyberattacks. Barracuda research found that 75% of the companies surveyed around the world had at least one email security breach in 2022.

These attacks range from basic phishing and malicious links or attachments, to sophisticated social engineering techniques such as business email compromise (BEC), conversation hijacking, and account takeover. Some of the most advanced types are associated with malicious email rules.

How attackers create automated email rules — and why

In order to create malicious email rules, the attackers need to have compromised a target account, for example, through a successful phishing email or by using stolen credentials seized in an earlier breach. Once the attacker is in control of the victim’s email account – a type of attack known as an account takeover – they can set one or more automated email rules, a simple process that enables the attackers to maintain stealthy, persistent access to the mailbox – something they can use for a whole variety of malicious purposes.

Number of malicious email inbox rules detected - weekly

Using email rules to steal information or money, and delay detection

The attackers might set a rule to forward to an external address all emails containing sensitive and potentially lucrative key words such as “payment,” “invoice,” or “confidential.”

Attackers might also use email rules to hide specific inbound emails by moving such messages to rarely used folders, marking emails as read, or simply deleting them. They could do this, for example, to hide security alerts, command-and-control communications, responses to internal spear-phishing emails sent from the compromised account, or to hide their tracks from the account owner who is likely using the account at the same time, unaware of the intruders.

In addition, attackers can create email forwarding rules to monitor the activities of a victim and collect intelligence on the victim or the victim’s organization to use as part of further exploits or operations.

Using email rules for business email compromise (BEC) attacks

BEC attacks are all about convincing others that an email has come from a legitimate user, in order to defraud the company and its employees, customers, or partners.

Attackers could set a rule that deletes all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO). This allows the attackers to pretend to be the CFO, sending colleagues fake emails to convince them to transfer company funds to a bank account controlled by the attackers.

In November 2020, the FBI published a notification on how cybercriminals were exploiting the lack of synchronization and security visibility between web-based and desktop email clients to set email forwarding rules to increase the likelihood of a successful BEC attack.

Using email rules in targeted nation-state attacks

Malicious email rules are also used in targeted attacks. The MITRE ATT&CK® framework of adversary tactics and techniques classifies malicious email forwarding as T1114.003 and names three advanced persistent threat groups (APTs) that use the technique. They are Kimsuky, a cyber-espionage nation-state threat actor; LAPSUS$, which is known for its extortion and disruption attacks; and Silent Librarian, another nation-state group associated with the theft of intellectual property and research.

MITRE classifies email hiding rules (T1564.008) as a technique used for defense evasion.  One APT known to use this technique is FIN4, a financially motivated threat actor that creates rules in victims’ accounts to automatically delete emails containing words such as “hacked,” “phish,” and “malware,” probably to prevent the victim’s IT team from alerting employees and others to their activities.

Defenses that don’t work (on their own)

If the malicious rule isn’t spotted, it stays operational even if the victim’s password is changed, they turn on multifactor authentication, impose other strict conditional access policies, or their computer is completely rebuilt. As long as the rule stays in place, it remains effective.

Furthermore, even though suspicious email rules can be a good indication of an attack, just looking at them in isolation may not provide a strong enough signal that an account has been compromised. Defenses must employ multiple signals to reduce noise and alert the security team to what is likely to be a successful email attack. The dynamic and evolving nature of cyberattacks, including the use of sophisticated tactics by attackers, necessitates a multifaceted approach to detection and defense.

Effective defenses

Because inbox rule creation is a post-compromise technique, the most effective protection is prevention — stopping attackers from being able to compromise the account in the first place. But you also need effective detection and incident response measures in place to identify breached accounts and mitigate the impact.

This includes having full visibility of every action being taken in every employee’s inbox, what rules are created, what’s been modified or accessed, the user’s logon history, the time and location and context of emails sent, and more. Barracuda’s AI-based protection uses such data to create an intelligent account profile for each user — and any anomalies, however subtle, are immediately flagged for attention. In addition, Barracuda’s Impersonation Protection uses multiple signals such as login data, emails data, and statistical models along with rules to identify an account takeover attack.

Finally, extended detection and response (XDR) measures, including Barracuda’s XDR Cloud Security and 24/7 monitoring by a security operations center (SOC), can help to ensure even deeply hidden and obfuscated activity is spotted and neutralized.

This Threat Spotlight was authored by Prebh Dev Singh with research and content support from Tilly Travers and Alex Angel.

Photo: SeventyFour / Shutterstock

This post originally appeared on Smarter MSP.