Beware of Suspicious Email Forwarding Activity
Hackers manipulate inbox rules and mail forwarding techniques for various malicious activities, primarily aimed at unauthorized access, data theft, or covert communication. Such tactics are widely deployed during Business Email Compromise (BEC) and phishing campaigns. It’s important that businesses are aware of the risks and have a solution (and team) in place for ongoing monitoring and real-time remediation. In this blog post, we will define BEC scams, share a real-life example, and outline how your business can prevent these attacks at your organization.
What is a BEC scam?
BEC is a cybercrime whereby scammers assume the digital identity of a trusted person to trick employees or customers into taking a desired action, such as making a payment or purchase, sharing data, or divulging sensitive information. Executives, finance employees, HR Managers, and new or entry-level employees are often targeted. These attacks are commonly carried out in three ways: domain spoofing, social engineering and compromised accounts.
Suspicious Inbox and Email Forwarding Rules
Inbox rules are typically used to automate email management tasks like sorting, filtering, or forwarding emails based on certain criteria. Hackers can exploit these rules to exfiltrate sensitive data to an external email address and use it to steal data and to obfuscate emails from the intended recipient by moving or deleting incoming mail.
Malicious inbox rules automate the exfiltration process. With such rules, every email in the target user's inbox that matches the rule criteria will be forwarded to the attacker's mailbox. For example, an attacker might want to gather sensitive data related to finance, banking keywords, or invoices (this is really common). Hackers can also exploit these rules to:
Delete Emails: They can set up rules to delete incoming emails that may alert the victim or contain security alerts, preventing the victim from detecting suspicious activities.
Re-direct Emails: Redirect emails to a different folder or marking them as read can help hackers hide their activities by making it less likely for the victim to notice unauthorized access.
Hijack an Email: By compromising email accounts through techniques like phishing or social engineering, hackers can change the account's settings to forward emails to their own addresses without the account owner's knowledge.
DNS Manipulation: In more sophisticated attacks, hackers can manipulate DNS settings to reroute email traffic through their own servers before delivering it to the intended recipients. This enables them to intercept, monitor, or modify email communications.
Email Spoofing: Hackers can forge email headers to make it appear as though emails are coming from legitimate sources, including those with forwarding or redirection instructions. This can trick recipients into unwittingly following the hacker's instructions or disclosing sensitive information.
By exploiting inbox rules and mail forwarding techniques, hackers can stealthily intercept communications, gather sensitive information, or maintain persistent access to compromised accounts, all while evading detection by the victim and security measures.
Hackers are Coming for your Payroll: A Real-Life Example
As a Managed Service Provider for 170+ Canadian businesses, we have a bird’s eye view of common cyber threats. We thought we would share one example of a hacker that compromised a professional’s email account. In this example, once the bad actor gained access to the account they created email rules around banking information and were then able to intercept sensitive communications and steal a large sum of money. Here’s how it happened:
- Hacker comprised an email account;
- Filtered out all banking information using an inbox forwarding rule so that they could read it;
- The next time the employee logged into their email, they were emailed a Multifactor Authentication code; a copy was stolen, and they were in!
Lesson: Ensure you have a security analyst or a Security Operations Center (SOC) team monitoring your mailboxes and identity 24/7/365!
Nucleus Networks: Managed Detection & Response for 365 (MDR365) Services
At Nucleus, we’ve adopted MDR for Microsoft 365. It’s a security software solution that is backed by real people; a SOC team that is solely dedicated to protecting Microsoft 365 environments. It integrates seamlessly with the Microsoft cloud environment to collect and analyze user, tenant, and application data to more precisely review anything deemed suspicious and remediate threats quickly. Types of threats detected:
- Suspicious login identification
- Suspicious mail forward configuration
- Privilege escalation: A technique used by hackers to gain unauthorized access of elevated rights, permissions, entitlement or privileges beyond what is assigned for an identity, account or user
- Account isolation
- Rule removal
We’re dedicated to securing all aspects of your IT environment. As the cyber threat landscape evolves, so will our Managed Security Services and support. Reach out to us to learn more about how we can help secure your business.