New Research: Email Rules Weaponized in Cyber Attacks

Highlights:

• The study explains how, after an attacker has gained access to an account, they can utilize email rules to hide inbound communications such as security alerts or mask their traces from the account’s owner.
• Because email rules are hidden in plain sight, the study warns that multifactor authentication and password changes are worthless once an account has been compromised.

Barracuda Networks Inc., a cloud cybersecurity business, revealed its latest research on how attackers use malicious email rules after infiltrating corporate networks to steal information and avoid getting detected.

Automated email inbox rules are beneficial for controlling the deluge of emails many people get at work. Inbox rules allow users to categorize, forward, or even delete emails based on precise criteria they specify. However, as the Barracuda Networks study demonstrates, cyber attackers may also use their convenience.

The study explains how, after an attacker has gained access to an account, they can utilize email rules to hide inbound communications such as security alerts or mask their traces from the account’s owner. An attacker can use email rules to mask operations, exfiltrate data by forwarding emails containing specified keywords to external addresses, and conduct business email compromise attacks by impersonating top executives.

According to the study, in addition to being used in commercial email compromise, email rules have also been used in targeted nation-state attacks, going unnoticed even when extra security measures are used.

Kimsuky, LAPSUS$, and Silent Librarian are three allegedly state-sponsored threat actor groups known to exploit email rules as part of their attack toolbox. LAPSUS$ is the most well-known of the three groups, having hacked Okta Inc. and Microsoft Corp. in March 2022 and, prior to that, Nvidia Corp. and Samsung Electronics Co. Ltd.

Because email rules are hidden in plain sight, the study warns that multifactor authentication and password changes are worthless once an account has been compromised. Barracuda Networks advises businesses to focus on prevention and incident response to identify compromised accounts and limit the impact.

The research reported, “Because inbox rule creation is a post-compromise technique, the most effective protection is prevention — stopping attackers from being able to compromise the account in the first place. But you also need effective detection and incident response measures in place to identify breached accounts and mitigate the impact. This includes having full visibility of every action being taken in every employee’s inbox, what rules are created, what’s been modified or accessed, the user’s logon history, the time and the location and context of emails sent.”