Threat Spotlight: How attackers use inbox rules to evade detection after compromise
blog.barracuda.com
If attackers have compromised your account, they can use inbox rules to hide in plain sight while they — among other things — quietly move information out of the network via your inbox.

Summary

Attackers can use automated email rules to evade detection after compromising an email account. They can use these rules to steal information, hide emails, and impersonate others.

Some of the ways attackers use email rules include:

  • Forwarding emails containing sensitive keywords to an external address

  • Hiding specific inbound emails by moving them to rarely used folders, marking them as read, or deleting them

  • Creating email forwarding rules to monitor the activities of a victim and collect intelligence on the victim or the victim’s organization to use as part of further exploits or operations

  • Setting up rules that delete all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO), so they can impersonate the CFO and send fake emails to convince colleagues to transfer company funds

Defenses that don’t work on their own include:

  • Changing the victim’s password

  • Turning on multifactor authentication

  • Imposing other strict conditional access policies

  • Rebuilding the victim’s computer