Automated inbox rules are a useful and familiar feature of most email clients. They help people manage their inboxes and the daily flow of wanted and unwanted communications by allowing them to move emails to specific folders, forward them to colleagues during their absence, or simply delete them.
If attackers have compromised your account, they can use inbox rules to hide in plain sight while they discreetly move information out of the network via your inbox, ensure you do not see security alerts, file selected messages in obscure folders so you cannot easily find them, or delete messages from the senior executive they claim to be in an attempt to extort money.
In short, this is an absolutely brilliant attack tactic that provides stealth and is easy to implement on a compromised account.
Email detection has progressed over the years and the use of machine learning has made it easier to detect the creation of suspicious rules, but as Barracuda's detection figures show, attackers continue to implement this technique successfully. Because the technique requires a compromised account, the overall figures may be relatively low. However, it still poses a serious threat to the integrity of an organisation's data and assets, particularly because rule creation is a post-compromise technique. This means that attackers are already on your network. Immediate action is required to remove them.
We believe it is important to understand the risk and how to respond to it. This blog post explores how attackers use automated email rules for malicious activities, which defensive measures do not work, and which ones do.
Email is a primary attack vector
Email attacks have a high success rate and represent a common entry point for many other cyberattacks. Barracuda Research revealed that 75% of companies surveyed worldwide experienced at least one email security breach in 2022.
These attacks range from basic phishing and malicious links or attachments to sophisticated social engineering techniques such as Business Email Compromise (BEC), conversation hijacking and account takeover. Some of the most advanced types are associated with malicious email rules.
How attackers create automated messaging rules — and why
In order to create malicious mailbox rules, attackers must have compromised a target account — for example, through a successful phishing email or by using stolen credentials obtained during a previous breach. Once the attacker controls the victim's email account — a type of attack known as account takeover — they can set one or more automated email rules, a simple process that enables attackers to maintain covert and persistent access to the mailbox — something they can exploit for malicious purposes.
Use of email rules to steal information or money and delay detection
Attackers could set a rule to forward all emails containing sensitive and potentially lucrative keywords such as "payment", "invoice" or "confidential" to an external address.
Attackers can also use email rules to conceal specific incoming emails by moving these messages to rarely used folders, marking emails as read or simply deleting them. They could do this, for example, to hide security alerts, command and control communications, replies to internal spear-phishing emails sent from the compromised account, or to cover their tracks from the account owner who is likely using the account at the same time, unaware of the intruders.
Furthermore, attackers can create email forwarding rules to monitor a victim's activities and collect intelligence on the victim or the victim's organisation for use in further exploits or operations.
Use of email rules for BEC (Business Email Compromise) attacks
BEC attacks aim to convince others that an email comes from a legitimate user, in order to defraud the business and its employees, customers or partners.
Attackers could set a rule that deletes all incoming emails from a specific colleague, such as the Chief Financial Officer (CFO). This allows attackers to impersonate the CFO, sending fake emails to their colleagues to convince them to transfer company funds to a bank account controlled by the attackers.
In November 2020, the FBI published a notification on how cybercriminals were exploiting the lack of synchronisation and security visibility between web and desktop email clients to set email forwarding rules in order to increase the likelihood of a successful BEC attack.
Use of email rules in nation-state targeted attacks
Malicious email rules are also used in targeted attacks. The MITRE ATT&CK® framework for adversarial tactics and techniques classifies malicious email forwarding as T1114.003 and names three advanced persistent threat (APT) groups that use this technique. These are Kimsuky, a cyber espionage actor associated with a nation-state threat; LAPSUS$, known for its extortion and disruption attacks; and Silent Librarian, another nation-state group associated with intellectual property theft and research.
MITRE classifies email hiding rules (T1564.008) as a technique used for defense evasion. One APT known to use this technique is FIN4, a financially motivated threat actor that creates rules in victims' accounts to automatically delete emails containing words such as "hacked", "phishing" and "malware", presumably to prevent the victim's IT team from alerting employees and others about their activities.
Defences that do not work (alone)
If the malicious rule is not detected, it remains operational even if the victim's password is changed, if they enable multi-factor authentication, enforce other strict conditional access policies, or if their computer is completely rebuilt. As long as the rule remains in place, it remains effective.
Furthermore, even though suspicious email rules can be a good indication of an attack, simply looking at them in isolation may not provide a strong enough signal that an account has been compromised. Defenses must use multiple signals to reduce noise and alert the security team to what is likely a successful email attack. The dynamic and evolving nature of cyberattacks, including the use of sophisticated tactics by attackers, requires a multidimensional approach to detection and defense.
Effective defences
Since the creation of inbox rules is a post-compromise technique, the most effective protection is prevention — that is, stopping attackers from compromising the account in the first place. However, you also need effective incident detection and response measures to identify compromised accounts and mitigate the impact.
This includes full visibility into every action performed in each employee's inbox, rules created, what has been modified or accessed, the user's login history, the time, location and context of emails sent, and more. Barracuda's AI-based protection uses this data to build an intelligent account profile for each user — and any anomaly, however subtle, is immediately flagged for attention. In addition, Barracuda's account takeover protection uses multiple signals such as login data, email data and statistical models, as well as rules to identify an account takeover attack.
Finally, measures of extended detection and response (XDR), including Barracuda XDR Cloud Security and 24/7, <> days out of <> monitoring by a Security Operations Center (SOC), can help ensure that even deeply hidden and obfuscated activities are detected and neutralized.