Red Canary's Latest Research Explores Email Auto-Forwarding Rules

Industry: N/A | Level: Tactical | Source: Red Canary

Red Canary's latest research explores the importance of detection against email-based threats, specifically on email forwarding rules. As referenced in the FBI Internet Crime Complaint Center (IC3) aggregating data from June 2016 to December 2021, business email compromises cost victims upwards of $43 billion. Once a threat actor has access to a victim's mailbox, an abundance of data is available to them along with a means to not only exfiltrate it, but also maintain access. Forwarding rules enable attackers to receive emails in real-time as their target receives the communication and persists until the forwarding rule is spotted by the victim. As best described by Red Canary, "Adversaries set up forwarding rules as a form of insurance in case they lose access to their victim’s email account." Forwarding rules can collect data for various keywords including "statement, wire transfer, deposit, password reset" and others. Discretely tampering with the mailbox, adversaries can also mark emails read and/or move emails to different folders. Additionally, information from the forwarded emails can be leveraged by the adversary to pose as the victim, armed with the knowledge of key financial/account information.

Anvilogic Use Cases:

• O365 Auto Forward
• O365 Inbox Rules
• O365 New Export Request