How Attackers Use Email Inbox Rules Against You After Breaching Your Account – Barracuda

A new Threat Spotlight from Barracuda, a trusted partner and leading provider of cloud-first security solutions, shows how attackers commonly misuse inbox rules in compromised accounts to evade detection, steal money and information, and launch business email compromise (BEC) attacks.

The Threat Spotlight highlights how attackers can obscure their actions via inbox rules, so victims don’t see what’s going on until it’s too late. This includes tactics to ensure victims don’t see security warnings; filing telltale messages in obscure folders so the victim won’t easily find them and deleting messages from the senior executive they are pretending to be, in attempts to extract money.

According to Barracuda, once an attacker has compromised a victim’s email account, for example by phishing or using stolen credentials, they can set one or more automated email rules to maintain stealthy persistent access to the mailbox – something they can use for a whole variety of malicious purposes. This can include attempts to steal information or money by setting rules to forward emails containing lucrative keywords like ‘payment’, ‘invoice’ and confidential to the attackers’ external email address; hiding specific inbound emails such as security alerts or command-and-control communications by moving such messages to rarely used folders, and marking emails as ‘read’, or simply deleting them.

Barracuda researchers also reveal how attackers are able to monitor the activities of a victim and collect intelligence on the victim or the victim’s organisation to use as part of further exploits or operations, as well as launch BEC attacks by setting a rule that deletes all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO). This allows the attackers to pretend to be the CFO, sending colleagues fake emails to convince them to transfer company funds to a bank account controlled by the attackers.

“The abuse of email inbox rules is a brilliantly effective attack tactic that provides stealth and is easy to implement once an attacker has compromised an account, said Mark Lukie, Head of Solution Architects at Barracuda APAC.

“Even though email detection has advanced over the years, and the use of machine learning has made it easier to spot suspicious rule creation – our detection numbers show that attackers continue to implement this technique with success. Malicious rule creation poses a serious threat to the integrity of an organisation’s data and assets. Because it is a post-compromise technique, it’s a sign that that attackers are already in your network. Immediate action is required to get them out.”

According to Barracuda, in order to stay protected against these tactics, prevention is always better than remediation, which means ensuring you have the right security solution in place to detect and mitigate these attacks. In order to do this effectively, they recommend deploying a solution with AI protection which can provide you with full visibility of actions being taken in every employee’s inbox, including what rules are created, what’s been modified or accessed, the user’s logon history, the time, location and context of emails sent, and more. Having a solution which can spot and flag any anomalies, however small is also recommended, along with impersonation protection to identify account takeover attacks, plus extended detection and response (XDR) measures, which can help to ensure that even deeply hidden and obfuscated activity is spotted and neutralized.

“If the malicious rule isn’t spotted, it stays operational even if the victim’s password is changed, they turn on multi-factor authentication, impose other strict conditional access policies, or their computer is completely rebuilt. As long as the rule stays in place, it remains effective,” added Mr. Lukie.

Read the full Threat Spotlight blog post: https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection