This blog post was co-authored by Tal Maor, Microsoft Security researcher
Exploited accounts can be used for several malicious purposes including reading email in a user’s inbox, creating rules to forward future emails to external accounts, internal phishing campaigns to gain access to further inbox accounts, and creating malicious rules to help an attacker remain undetected.
As part of our ongoing research to analyze trends and attack techniques, the Microsoft Cloud App Security team was able to deploy two new detection methods to help tackle malicious activities against Exchange inbox accounts protected with Microsoft Cloud App Security. Since we’ve started rolling out these new detections, we are seeing more than 3,000 suspicious rule alerts each month./p>
Image 1: Built-in alerts for suspicious inbox rules
Malicious forwarding rules
Some email users, particularly those with multiple mailboxes, set forwarding rules to move corporate emails to their private email accounts. While seemingly harmless, this behavior is also a known method used by attackers to exfiltrate data from compromised mailbox accounts. Without a way to easily identify malicious rules, forwarding rules can stay in place for months, even after changing account credentials.
Microsoft Cloud App Security can now detect and alert on suspicious forwarding rules, giving you the ability to find and delete hidden rules at the source.
Malicious forwarding rule names vary, and can have simple names, such as “Forward All Emails“, “Auto forward” or they’re created with deceptive names, such as a nearly hidden “.” In fact, forward rule names can even be empty, and the forwarding target can be one email account or an entire list list. There are even ways to make malicious rules hidden from the user interface. Now, you can use the new Microsoft Cloud App Security detections to analyze and detect suspicious behavior and generate alerts on forwarding rules - even when the rules are seemingly hidden.
In nearly all cases, if you detect an unrecognized forwarding rule to an unknown internal or external e-mail address in a user’s inbox rule setting, you can assume that the inbox account was compromised. Once detected, you can leverage this helpful blog post on how to delete hidden rules from specific mailboxes when required.
Image 2: Suspicious inbox forwarding rules - detailed description
Malicious folder manipulation
Another scenario we recognized and built detections for, seems to be used in a later attack phase. Attackers set an inbox rule to delete and/or move emails to a less noticeable folder (i.e “RSS”). These rules move all emails or only those which contain specific target key words. We identified nearly 100 common, relevant words that malicious delete- or move-inbox rules are looking for in a message body and subject. Some of the most popular words we identified in these types of rules include:
"superintendent" , "malware" , "malicious" , "suspicious" , "fake" , "scam" , "spam" , "helpdesk" , "technology" , "do not click" , "delete" , "password" , "do not open" , "phishing" , "phish" , "information" , "payment election" , "direct deposit" , "payroll" , "fraud" , "virus" , "hack" , "infect" , "steal" , "attack" , "hijack" , "Payment" , "workday" , "linkedin" , "Workday" , "Payroll" , "received" , "Fraud" , "spyware" , "software" , "attached" , "attachment" , "Help Desk" , "president" , "statement" , "threat" , "VIRUS WARNING" , "DO NOT OPEN" , "FW: Phishing Attempts" , "email" , "regarding" , "URGENT Warning" , "Acknowledge" , "Link" , "disregard" , "did u send me an email" , "Suspicious email" , "Spam" , "Virius" , "Viruis" , "Hack" , "Postmaster" , "Mailer-Daemon" , "Message Undeliverable" , "survey" , "hacked" , "Password" , "linked-in" , "linked in" , "invoice" , "Fidelity Net Benefits" , "Net Benefits" , "401k" , "Fidelity" , "Security code" , "ADP" , "Strategic consultancy services fees - Payment" , "Direct deposit" , "syed" , "Zoominfo" , "zoominfo" , "Re: Fw: Revised Invoice" , "security"
Corresponding rule names we saw repeatedly including names such as:
“xxx", "xxxx" , "." , ".." , ",.,." , "..." , ",." , "dsfghjh" , "At Work" , "words" , "ww" , "dsfghjh" , "email" , "mail" , "Delete messages with specific words" , "Clear categories on mail (recommended)”
Attackers use these kinds of rules to manipulate the original mailbox user, remain undetected in the mailbox, and may simultaneously perform internal phishing campaigns using the compromised mailbox. Attackers set rules like these to hide their activities from the original mailbox user and to ensure they can’t see warning alerts about malicious behavior of their own mailbox.
Thes rules can be created using various methods. Once an attackers has access to user account credentials, they may log in to the account’s mailbox to set and manipulate rules using https://outlook.office.com. Another option is to use an API that allows the creation of new inbox rules via automated script. The PowerShell New-InboxRule cmdlet is an example of an API that is frequently used by attackers to accomplish this.
Image 3: Suspicious inbox manipulation rule - detailed alert description
Gaining mailbox access
One method attackers use to gain initial access to an email account is to obtain clear text passwords of the inbox account.
Another common scenario to gain initial access to a user’s mailbox account is an OAuth attack, which doesn’t require for the attacker to have the full user credentials at any time. Victim accounts may log in as a third-party cloud application and agree to delegate permissions to change their mailbox settings by the application on their behalf. This scenario requires the user’s consent to delegate their permissions. These interfaces often impersonate legitimate applications the users commonly use and exploit users to gain access to their accounts by requesting high permission levels via the cloud app. In the example below, the attackers used the application name “Outlook” to defy users and eventually push mailbox changes to any authenticated user. To find out more about risky 3rd party app authentications and how to detect and revoke them with Microsoft Cloud App Security, refer to our recent blog post.
Image 4: Oauth attack of an impersonated cloud app
Rule your inbox
Setting and communicating inbox best practices for your organization is always the first step.
Ensure each of your inbox owners know:
- When delegating permissions to an app, verify the requested permissions fit expectations.
- Always remain suspicious regarding write-permission requests.
- Consider whether to allow an application to make changes to the mailbox on their behalf, especially without requesting their permission for specific changes.
- If any evidence of a malicious rule is found, follow the steps in How to stop and remediate the Outlook Rules and Forms attack to remediate.
Microsoft Cloud App Security provides full visibility into your corporate Exchange Online services, enables you to combat malicious rules, cyber threats and control how your data travels. MCAS is available as part of Enterprise Mobility + Security E5 or as a standalone service.
More info and feedback
Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.