Attackers Exploit Email Inbox Rules to Conceal Compromises and Evade Detection

Barracuda Shines a Light on the Dark Side of Automated Inbox Rules

In the ever-evolving landscape of cybersecurity threats, attackers are leveraging an unexpected tool to conceal their activities: email inbox rules. Barracuda, a renowned player in email security, has shed light on this alarming trend in its recent blog post titled Threat Spotlight: Attackers Use Inbox Rules to Evade Detection.

Automated email inbox rules, a common feature in email clients, are typically used to streamline inbox management. They allow users to sort emails into folders, forward messages, or even delete them automatically. However, when attackers gain access to your account, they can employ these seemingly innocuous rules to effectively disappear in plain sight.

Attackers, once they’ve infiltrated an account, can employ inbox rules to orchestrate a range of malicious activities. This includes surreptitiously exfiltrating sensitive data from the network via your inbox, ensuring that security warnings go unnoticed, hiding crucial messages in obscure folders, or even erasing communications from high-ranking executives, impersonating them in an attempt to extort money.

The sheer brilliance of this attack tactic lies in its stealth and ease of execution, making it a potent weapon in the hands of cybercriminals.

While email detection methods have evolved, with machine learning helping identify suspicious rule creation, Barracuda’s data reveals that attackers continue to exploit this technique successfully. Although the numbers may be relatively low due to the necessity of a compromised account, this threat poses a grave danger to an organization’s data and assets. Crucially, rule creation occurs post-compromise, indicating that attackers are already within the network, demanding immediate action for their removal.

Understanding the risk and formulating effective responses are paramount. Barracuda’s blog post delves into how attackers employ automated email rules for malicious activities, dissects ineffective defense measures, and outlines those that prove effective.

Email: The Primary Attack Vector

Email remains a primary vector for cyberattacks, with a soaring success rate and serving as a gateway for various other cyber threats. Barracuda’s research highlights that a staggering 75% of surveyed companies worldwide experienced at least one email security breach in 2022. These breaches encompass everything from basic phishing and malicious attachments to sophisticated tactics like business email compromise (BEC) and malicious email rules.

How Attackers Craft Automated Email Rules — and Why

Creating malicious email rules necessitates compromising a target account, typically through a successful phishing attack or the use of stolen credentials obtained in a prior breach. Once the attacker gains control of the victim’s email account, referred to as an account takeover, they can configure one or more automated email rules. This straightforward process grants attackers the ability to maintain stealthy and persistent access to the mailbox, which they can exploit for a plethora of nefarious purposes.

Exploiting Email Rules for Data Theft and Evasion

Attackers can employ email rules to forward emails containing sensitive keywords, such as “payment,” “invoice,” or “confidential,” to external addresses, facilitating information or money theft while delaying detection.

Additionally, they can use these rules to hide incoming emails by relocating them to rarely accessed folders, marking them as read, or outright deleting them. This tactic may be employed to obscure security alerts, command-and-control communications, responses to internal spear-phishing emails sent from the compromised account, or to evade the account owner, who is often unaware of the intrusion.

Furthermore, attackers can establish email forwarding rules to monitor a victim’s activities and gather intelligence on the victim or their organization, which can be leveraged for subsequent exploits or operations.

BEC Attacks: Deceptive Rules for Fraud

Business email compromise (BEC) attacks revolve around convincing recipients that an email is from a legitimate user to perpetrate fraud. Attackers may create rules to automatically delete inbound emails from specific colleagues, such as a Chief Finance Officer (CFO). This allows attackers to impersonate the CFO, sending fraudulent emails to persuade others to transfer company funds to an account controlled by the attackers.

In November 2020, the FBI issued a warning about cybercriminals exploiting the lack of synchronization and security visibility between web-based and desktop email clients to establish email forwarding rules, increasing the likelihood of successful BEC attacks.

In light of these evolving threats, it is crucial for organizations and individuals to remain vigilant and adopt robust security measures to safeguard against email-based attacks, including the ingenious use of inbox rules by cybercriminals. Barracuda’s insights serve as a valuable resource in understanding and mitigating these emerging threats in the ever-expanding realm of cybersecurity.

Leave a Reply