Email forwarding can be a convenient feature for users — but unfortunately for defenders, it’s even more convenient for threat actors.
Email forwarding rules enable an email account owner to automatically redirect incoming emails to a separate account. There are some legitimate use cases for this; for example, an employee on vacation may want to forward their incoming emails to a colleague.
However, threat actors commonly use email forwarding rules to access mailboxes and leak data in business email compromise (BEC) attacks, so it’s important to understand the risks associated with email forwarding and how to prevent them.
In 2020, the FBI warned that threat actors were increasingly relying on email forwarding to hide within hacked email accounts.
The FBI cited two examples of cybercriminals using email forwarding rules in BEC attacks, both of which occurred in August 2020. In one incident, threat actors created auto forwarding rules on the victim’s web client, but since the victim only monitored forwarding rules on the desktop client, the activity went unnoticed. The attackers accessed the network and created a domain with similar spelling to the victim, impersonating a known international vendor. The threat actors were able to obtain $175,000 from the victim by communicating with the vendor.
The same threat actor created auto-forwarding rules within a manufacturing company’s web-based email: any email with search terms such as “bank,” “payment,” and “check” would automatically be sent to the threat actor’s inbox.
In 2021, threat actors were able to bypass Office 365 (now Microsoft 365) multi-factor authentication (MFA) in a series of BEC attacks. They gained initial access through phishing, and used legacy protocols such as IMAP/POP3 to evade MFA. Threat actors used email forwarding rules to automate and scale the attacks, stealing data from the most valuable victims.
And in 2022, Microsoft issued a warning reporting that Upgrade, a potentially malicious app, sent hundreds of phishing emails of Office 365 customers asking them to create inbox rules, read emails, and create calendar items. If the victim agreed to the request, the threat actor could set email forwarding rules that would enable them to continue the attack in the future.
Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior. pic.twitter.com/YMUHvEMYYD
— Microsoft Security Intelligence (@MsftSecIntel) January 21, 2022
When a threat actor is able to create auto-forwarding rules, it could mean a few things. The threat actor may be trying to monitor a user’s account and gather intelligence to use later in a broader attack.
But an attacker that has created email forwarding rules has likely already gained access to an environment and is in the later stages of an attack. After accessing an account, a threat actor will typically create a mail rule within their mailbox to avoid being caught. Like in the example above, this rule may forward emails with certain search terms to the attacker’s inbox. Other evasive techniques include using the Microsoft Messaging API (MAPI) to hide rule properties from Outlook, OWA, or other Exchange Administration tools, according to MITRE.
One of the biggest problems about email forwarding is that it enables a threat actor to gain persistent access to the victim’s email. That means it doesn’t matter whether the victim turns on MFA, changes their email password, or performs a variety of other administrative tasks in an attempt to secure their email — if the rule is in place, the threat actor will have access to emails.
Since email forwarding rule creation is often a later-stage technique, prevention is key. Here are some security best practices to prevent BEC attacks that use email forwarding:
Since all forwarded messages look the same — whether they were manually or automatically forwarded — it can be challenging to detect automatic email forwarding, especially if those auto forwarding rules are hidden. However, looking at message tracking logs or using a MAPI editor can help you determine whether the rule properties were modified.
For Exchange environments, another sign of suspicious forwarding rules are high volumes of emails with the header X-MS-Exchange-Organization-AutoForwarded
without a corresponding number of emails that match the appearance of a forwarded message. This activity may warrant a deeper investigation.
Using a threat detection and response platform such as Blumira can ease the process of email forwarding detection. For example, Blumira’s platform notifies you when a user has set up an email forwarding rule to send messages to external domain accounts, and provides all relevant data and a response playbook to help your teams take action immediately.
Many security information and event management (SIEM) platforms are complex to set up, with an average deployment time of two months.
To help alleviate this problem, Blumira has released Cloud Connectors, a feature that speeds up deployment time from months to minutes, allowing small IT teams to quickly connect cloud services such as Microsoft 365.
Blumira connects to your Microsoft 365 account within minutes to detect suspicious activity that leads to cyberattacks, including email forwarding.
Sign up for a free trial today and start getting better visibility into your Microsoft 365 environment.