The Dangers of Inbox Rules

Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Red Canary

Red Canary's latest reports highlight the risk of email inbox rules and how threat actors leverage the feature to initiate business email compromise (BEC) tactics. Forwarding rules provide the threat actor with persistence on the user's account and automatic data exfiltration capabilities. Three attack scenarios are presented, the first is the typically observed auto-forwarding emails to an attacker-owned accounts. The second is rerouting the email or deleting them prior to reaching the user's inbox, providing the threat actor with the opportunity to view emails unknown to the victim as well as replace an expected email with a phishing email. The last attack scenario targets the admin account resulting in the creation of rules on behalf of the users and compromising the environment at a larger scale. An example of such an attack is outlined by Red Canary as "in the middle of launching an attack, an adversary with admin email access could create a rule for all or most mailboxes that deletes any email with keywords warning of the active incident." Detection opportunities exist for alerting on operations made from Outlook and API requests from Exchange.

Anvilogic Scenario:

• O365: Suspicious Login then Stage Email Exfiltration

Anvilogic Use Cases:

• O365 Inbox Rules
• O365 Auto Forward

‍