Inbox rules – those handy little tools for filing emails, categorising them, or possibly forwarding some emails to colleagues. They exist in all email platforms, although with a prevalence of Exchange and Office 365, it is the Microsoft implementation that most of us know best. If you have any admin knowledge of these platforms, you’ll also know that there are server side rules of a similar nature (known as transport rules or mailflow rules), which can do similar things for multiple people, or possibly the entire system.
Pause for a moment on security risk is present. To quote a recent report “As one of the first steps after having obtained [mailbox] credentials, attackers created malicious inbox rules to copy in- and outgoing emails of their victim. The attacker’s goal hereby was to guarantee access to emails even after the compromised credentials were changed” (1).
If you’re not sure how attackers get into the mailbox in the first place, see BEC – why the fuss? Or Phishing your MuFA.
I was speaking with a multinational organisation in December who have had consistent breaches due to exactly this attack – hackers setting up inbox rules in individual mailboxes after compromising the accounts. The high-profile Deloitte breach (2) in late 2017 is thought to have been achieved via a mailflow rule affecting a number of executives (although this has not been confirmed by the company). It’s also possible simply due to error: mailflow rules do many things, and I’m aware of cases where an IT admin intended to set up a rule to block an incoming email address, and instead BCCed the CEO’s email to that address! And one more I just discovered – a massive governmental organisation suffered some account takeover breaches, where the hijacked accounts were used to send phishing emails. The attackers added inbox rules to delete the outgoing emails from the Sent Items, and automatically delete any replies – so the mailbox owner would not see the symptoms of the breach.
This is completely symptomless. There is no way the user will know this is occurring – both in the case of a client side inbox rule or a server side mailflow rule, the only way of spotting this is to look at the list of configured rules. And if you have a large number of rules (which is both likely and legitimate for server side mailflow rules), it will be close to impossible to spot visually. Even more scary, according to recent research1 it is possible to completely hide these rules. If it gives you any comfort, the researchers point out they have not yet seen this used in the wild. But that doesn’t mean it isn’t happening.
Inbox rules can be set up by attackers, internal or external, who have access to the inbox – be that via compromised credentials or because you just left your Outlook client unattended. In fact, the internal attack can be particularly difficult to defend against – companies tend not to use the same security internally as externally (e.g. MFA is often only deployed outside the perimeter). Or maybe you simply leave your laptop unlocked on your desk for five minutes – allowing someone to quickly set up a rule in your absence. These rules can also be set up through scripting – without direct mailbox access. It’s too much detail to provide full explanation here, but the research is referenced below (2).
One solution that companies employ is to turn off external forwarding. If this is done, inbox rules which forward emails externally will be ineffective (although in Exchange/Office 365, the user will not be aware of that when creating the rule). However, sometimes external forwarding rules are legitimate, and the platform‑wide setting is therefore too blunt an instrument. In other cases we seen, the CIO believed the rules were turned off – that was the policy – but somewhere along the way an IT team member had reactivated them.
Even if the external forwarding has been prevented for individual mailboxes – which certainly closes part of the window – it will not prevent mailflow rules from forwarding email externally, whether they are set up by internal bad actors, or by hackers who have compromised admin accounts. And of course, hackers who have compromise an admin account can reactivate external forwarding for inbox rules.
The solution is of course to identify when these rules have been set up and alert the right people – perhaps the mailbox owner themselves, maybe the security team, maybe IT (it depends on your internal process and policy). This can be done by consistently checking the status of these rules, and alerting any changes. This can be both a real-time approach, or a periodic audit (daily, weekly, monthly, …). Unsurprisingly, this is a core function of the IDECSI MyDataSecurity.
Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion.
(1) Compass Security Blog "Hidden Inbox Rules in Microsoft Exchange" - September 17, 2018
(2) The Guardian "Deloitte hit by cyber-attack revealing clients' secret emails" - September 25, 2017
(3) F-Secure Labs "Malicious outlook rules" - September 2, 2016