Email Forwarding Rule

Information

• Name: Email Forwarding Rule

• ID: T1114.003

• Tactics: TA0009

• Technique: T1114

Introduction

Email Forwarding Rule (T1114.003) is a sub-technique of the MITRE ATT&CK framework under the parent technique Email Collection (T1114). Attackers leverage this technique by creating or modifying email forwarding rules within compromised email accounts. These rules silently forward incoming or outgoing emails to attacker-controlled addresses, enabling adversaries to gain persistent access to sensitive communications without direct interaction with the victim's mailbox.

Deep Dive Into Technique

Attackers utilize email forwarding rules to covertly exfiltrate sensitive information from compromised email accounts. This sub-technique typically involves the following technical details and execution methods:

• Creation or Modification of Rules:

  • Attackers gain initial access to a user's email account through credential theft, phishing, password spraying, or other account compromise methods.

  • Once inside, attackers navigate email client settings (e.g., Microsoft Exchange, Office 365, Gmail, or other cloud-based email services) to set up forwarding rules.

  • These rules are configured to automatically forward sensitive emails to attacker-controlled external email addresses, often without the user's knowledge.

• Rule Configuration and Concealment:

  • Forwarding rules can be configured to forward all emails or selectively forward emails containing specific keywords, attachments, or from particular senders or recipients.

  • Adversaries may use filters and conditions to minimize detection, such as forwarding only emails containing financial information, credentials, confidential documents, or other valuable data.

  • Attackers may also configure rules to delete or mark forwarded emails as read, reducing the likelihood of detection by the legitimate user.

• Persistence and Stealth:

  • Email forwarding rules provide attackers with persistent access to sensitive information even after initial access methods (such as compromised credentials) have been remediated.

  • Attackers often use legitimate email features, making detection challenging, as forwarding rules may blend into normal user activities and administrative configurations.

• Common Platforms Targeted:

  • Microsoft Exchange and Office 365

  • Google Workspace (Gmail)

  • Other cloud-based email providers with forwarding rule functionality

When this Technique is Usually Used

Attackers commonly employ email forwarding rules in the following attack scenarios and stages:

• Post-Compromise Information Gathering:

  • Attackers who have compromised an email account may implement forwarding rules to continuously collect sensitive information without repeatedly logging into the victim's account.

  • This helps adversaries remain stealthy and reduces the risk of detection through repeated logins or unusual account activity.

• Business Email Compromise (BEC):

  • Attackers use forwarding rules extensively in BEC attacks to monitor email conversations, identify financial transactions, and intercept invoices or payment-related communications.

  • Forwarding rules allow attackers to remain informed about ongoing business communications, enabling them to craft convincing fraudulent emails or redirect payments.

• Espionage and Targeted Attacks:

  • Advanced Persistent Threat (APT) actors frequently leverage email forwarding rules to quietly monitor communications within targeted organizations, government agencies, or high-profile individuals.

  • These rules enable long-term monitoring and collection of sensitive organizational data, intellectual property, or classified information.

• Credential Harvesting and Reconnaissance:

  • Attackers who have initially gained access to email accounts may set forwarding rules to harvest additional credentials, internal company information, or sensitive user data for further exploitation or lateral movement.

How this Technique is Usually Detected

Detection of email forwarding rules involves several methods, tools, and indicators of compromise (IoCs):

• Regular Auditing and Monitoring:

  • Periodically auditing email forwarding rules within email systems (e.g., Office 365 Security & Compliance Center, Google Workspace Admin Console) to identify unauthorized or suspicious forwarding rules.

  • Monitoring for new forwarding rules, especially those forwarding emails externally or to unknown email addresses.

• Behavioral Analytics:

  • Deploying security tools and SIEM solutions that utilize behavioral analytics to detect unusual account activities, such as forwarding rule creation from new or suspicious IP addresses or locations.

  • Alerting on rules created outside normal business hours or from unfamiliar devices or browsers.

• Email Provider Security Features:

  • Leveraging built-in security features of email providers (Microsoft Defender for Office 365, Google Workspace Security Center) to automatically detect and alert on suspicious rule creation or modification events.

• Indicator of Compromise (IoCs):

  • Unexplained forwarding rules directing emails to external, unknown, or free email services (e.g., Gmail, Yahoo, ProtonMail).

  • Forwarding rules with filters targeting sensitive keywords (e.g., invoice, payment, credentials, passwords, confidential).

  • Unusual mailbox activities, such as emails marked as read without user interaction or unexplained email deletions.

• User Awareness and Reporting:

  • Educating users to recognize signs of email compromise, such as missing emails, unexpected email delivery failures, or suspicious account activity notifications.

  • Encouraging users to report anomalies promptly to security teams.

Why it is Important to Detect This Technique

Early detection of email forwarding rules is critical due to the following potential impacts on systems, networks, and organizational security:

• Sensitive Information Leakage:

  • Email forwarding rules can silently exfiltrate sensitive data, including financial information, intellectual property, business strategies, personal identifiable information (PII), and confidential communications.

  • Undetected forwarding rules lead to prolonged data leakage, significantly increasing the risk of data breaches and financial losses.

• Financial Loss and Fraud:

  • Attackers commonly leverage forwarding rules in Business Email Compromise (BEC) attacks, resulting in fraudulent payments, diverted invoices, and significant financial losses.

  • Early detection prevents or mitigates financial damage and reduces the risk of successful fraud attempts.

• Espionage and Competitive Disadvantage:

  • Persistent email monitoring via forwarding rules enables attackers to collect sensitive corporate data, trade secrets, and strategic information, potentially leading to competitive disadvantages or reputational damage.

• Regulatory and Compliance Risks:

  • Undetected email forwarding rules resulting in data leakage may lead to regulatory violations, compliance breaches (e.g., GDPR, HIPAA), legal consequences, and financial penalties.

• Operational Disruption and Incident Response Costs:

  • Undetected forwarding rules may require extensive incident response efforts, forensic investigations, and remediation costs, disrupting normal business operations and productivity.

Examples

Real-world examples showcasing the use of email forwarding rules in attacks include:

• Business Email Compromise (BEC) Attacks:

  • Attackers compromised employee email accounts through credential theft or phishing.

  • Set forwarding rules to monitor financial transactions, invoices, and payment communications.

  • Leveraged intercepted information to send fraudulent payment instructions, causing significant financial losses.

• APT29 (Cozy Bear) and SolarWinds Incident:

  • During the SolarWinds supply chain compromise, APT29 actors reportedly set email forwarding rules in Microsoft 365 environments to monitor internal communications and maintain persistent access.

  • Allowed attackers to collect sensitive internal emails and intelligence without raising immediate suspicion.

• Operation Cloud Hopper (APT10):

  • State-sponsored threat group APT10 compromised managed service providers (MSPs) and their customers' email accounts.

  • Attackers established email forwarding rules to continuously monitor sensitive communications and exfiltrate data over extended periods.

• Credential Harvesting Campaigns:

  • Attackers gained initial access to user email accounts through phishing.

  • Created forwarding rules to silently collect additional credentials, internal documents, and sensitive information for further exploitation and lateral movement within the victim organization.

• Financial Sector Attacks:

  • Cybercriminals targeted financial institutions by compromising employee email accounts.

  • Forwarding rules were configured to selectively forward emails containing keywords such as "SWIFT," "transfer," "invoice," or "payment," allowing attackers to intercept financial transaction details and execute fraudulent transfers.

These real-world scenarios highlight the severity and potential impacts of email forwarding rule attacks, emphasizing the necessity for proactive detection, monitoring, and mitigation strategies.