T1114.003
Email Forwarding Rule
Adversaries routinely create email forwarding rules in compromised email accounts to collect sensitive information while hiding suspicious email activity from legitimate users.
Pairs with this song #6
overall rank
6.2%
Customers affected
340
Threats detected
Threat Sounds
Turns out Sabrina can’t send these emails because they’ve been moved to the RSS-Subscription folder.
Analysis
Why do adversaries leverage email forwarding rules?
Business email compromise (BEC) and email account compromise (EAC) attacks remained prevalent in 2023. Adversaries use compromised credentials or identities to access email accounts, leveraging their legitimacy to bypass automated security controls and to trick otherwise phish-aware users who apply more scrutiny to external or unfamiliar email addresses. Adversaries also use email forwarding rules to hide their activity from the legitimate user or to exfiltrate data to an external email address. Forwarding emails to an external account may also allow an adversary to continue receiving sensitive information after losing access to the account.
Email messages coming from legitimate or internal email addresses aren’t subject to the same level of automated security controls that may block or inspect external emails.
An important distinction should be made here: The email compromises and forwarding rules that Red Canary observed in 2023 involved an adversary gaining access to a legitimate email account in an organization and using it to conduct malicious activity. This differs from traditional social engineering where an adversary uses a fake or spoofed email address pretending to be part of the organization. Email messages coming from legitimate or internal email addresses aren’t subject to the same level of automated security controls that may block or inspect external emails. They also do a far better job of passing a security-savvy user’s “sniff test” that might otherwise recognize a phishing attempt from a suspicious or unrecognized email domain. This applies to both internal communications as well as those with trusted external parties such as vendors, customers, or other business partners.
As such, adversaries have ample incentive to compromise email accounts rather than simply impersonate them. Beyond the immediate benefits of using the compromised email account for fraud, gaining access to these accounts with legitimate credentials also allows adversaries to search the inbox for useful information or sensitive documents.
How do adversaries leverage email forwarding rules?
After gaining access to the email account (typically through a compromised identity or credentials), the adversary can create forwarding rules in the same way a legitimate user does. In 2023, Red Canary observed adversaries creating mailbox rules with simple names, usually just a single or double period (., ..), a semicolon (;) or a single letter. We also saw repetitive rule names such as aaaa or ......... We observed this technique in a back-to-school campaign in fall 2023, and we also covered it in the Email threats section of the 2023 Threat Detection Report and in other blogs.
These rules typically take messages containing certain keywords (such as “invoice” or ”payroll”), or all messages from a certain sender (such as the HR department or any other individuals with whom the adversary is trying to communicate) and forward them to a folder that the legitimate user rarely checks–the RSS Subscriptions and Archived folders were the top culprits in 2023–while marking the emails as read. Red Canary also observed rules that forwarded messages to an external account under the adversary’s control, as well as rules that ignored any subtlety and simply deleted all incoming emails.
One emergent technique that may be adjacent to this technique but warrants mention involves adversaries using local mail client features such as marking emails as junk, blocking senders, or otherwise redirecting emails to the Junk folder. While this doesn’t necessarily involve the creation of an actual email forwarding rule, it serves the same practical purpose as malicious email forwarding rules and we are observing it with increasing frequency. There are three benefits to this novel approach:
- Redirecting emails to the Junk folder blends in with the thousands of expected “blocked sender” actions that happen daily.
- It’s easier and faster than creating an actual email forwarding rule.
- It will evade detection in mail server logs or network observations.
Many of these forwarding rules are created using a login originating from a suspicious IP address. Most often, these IPs are inconsistent with the user’s typical IP block or login location. We observed many logins via commonly available virtual private networks (VPN) and other anonymizing tools.
The scheme typically unfolds as follows:
- Adversary logs into a mailbox with compromised credentials, stolen session tokens, or some other method of compromising an identity. The originating IP address is almost always from an anonymizing proxy organization including Private Internet Access, ExpressVPN, or other VPN.
- The adversary performs reconnaissance of mail items by viewing attachments with terms such as “invoice,” “ach,” “wire transfer,” or “payroll,” then creates a forwarding rule for the newly discovered sensitive mail items (or blocks the sender so future messages are automatically delivered to the Junk folder).
- The adversary initiates or inserts themself into a conversation with internal colleagues in finance-related positions like payroll or procurement departments, or more commonly, with external trusted vendors involved in business transactions.
- The adversary tricks email recipients into modifying ACH payroll or wire transfer destinations, rerouting money from its proper destination to an account controlled by the adversary.
- Sent messages are immediately moved to a different folder or deleted.
- Mail responses are automatically redirected to the users’ Junk folder (or another folder specified by an email rule), leaving the actual user unaware of the conversations initiated on their behalf.
take action
Office 365 users can disable external email forwarding rules for their organization by following this guide by Microsoft. The steps outlined in this detailed Office 365 hardening guide provided by Mandiant will also help shrink your attack surface.
Visibility
Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.
Application logs
For most organizations, MITRE Data Source DS0015: Application Log will provide the visibility necessary to detect suspicious email forwarding rules. The details of what activity is visible may differ between platforms such as Google Workspace or Microsoft Office 365 (On and off premise), but login activity and email rule creation are both actions that should be logged by whichever email application your organization uses.
For Office 365, this would include the Unified Audit Log (UAL). If you’re running an on-premise Exchange server, it’s a little less straightforward, but you can likely collect relevant logs from a combination of Mailbox Audit Logging and Exchange Admin center, and you can hunt for email rules using PowerShell cmdlets and by monitoring other log sources.
For Google Workspace users, the Security Investigation Tool will be your starting point and suspicious email rules can be observed by obtaining user Gmail settings through the Gmail API.
Collection
Note: The collection sections of this report showcase specific log sources from native event logs, third-party tools, and elsewhere that you can use to collect relevant security information.
For Office 365 users, the UAL is key to identifying not only suspicious email forwarding rules but all steps and aspects of BEC and EAC. There are many tools available to extract components of the UAL or even the entire log. Whichever platform you choose, be sure to collect the UAL operations and properties outlined in the Detection section below.
Detection opportunities
Confidently detecting the initial email account compromise is typically difficult, as it requires teams to detect anomalies to a user’s login behavior through a complicated series of alerting algorithms, potentially across numerous devices.
If using Office 365, we highly suggest monitoring for InboxRule creation events. The following UAL operations are worth monitoring:
New-InboxRuleSet-InboxRuleRemove-InboxRuleDisable-InboxRuleUpdateInboxRulesSet-Mailbox
Looking for new rules alone may generate too many false positives, so adding another check for commonly abused folders, suspicious criteria, and odd names will help filter out benign activity. We suggest looking for new inbox rules that move or copy emails to the following folders:
- RSS Feeds
- RSS Subscriptions
- Archive
- Deleted Items
- Conversation History
Common rule names to watch out for (in addition to any rules with single character names) include:
...aaaaa……;
Rules involving sensitive strings may include the following, in addition to organization or industry-specific terms:
ACHInvoicePayrollPassword ResetLogin code
Looking for rules that delete all incoming emails should also be high fidelity.
Tying everything together, look for these rules originating from a suspicious IP address. This could mean an unusual location or an address known to be registered to a VPN. In UAL terms, this means monitoring the following operations:
MailboxLoginUserLoggedIn
We observed countless suspicious logins this year emanating from an obviously abnormal VPN. Adversaries leveraged the following VPN providers (in order of prevalence) when attempting to compromise identities:
- Private Internet Access VPN
- CyberGhost VPN
- NordVPN
- ExpressVPN
- Windscribe VPN
- Proton VPN
- IPVanish VPN
- Mullvad VPN
- HMA VPN
- Hide.me VPN
- IPXO
- PureVPN
- Surfshark VPN
- ZenMMate VPN
You can find relevant logs for the Junk folder tradecraft described above as Set-MailboxJunkEmailConfiguration operations in Microsoft UAL logs. These events are noisy because users routinely block suspicious senders. However, we’ve found the following strategies effective:
- Identify any internal users or trusted vendor domains that have been marked as a “blocked sender.” It’s highly unlikely that a normal user would mark internal or trusted senders and domains as junk mail.
- Focus on the IP address responsible for the setting change. It should be unusual for users to create email rules or block senders while using non-sanctioned VPN or proxy.
- Take a deeper look at what applications are commonly used to create the junk mail configurations. How often are your users using non-standard mail applications in general? Baselining where this event comes from will help you recognize when an adversary is using an abnormal mail client for your organization. Below are some of the most common applications and their associated application IDs, which should be adjusted to match local software usage.
| Application Name | Application (client) id |
| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 |
| Office 365 Exchange Online | 00000002-0000-0ff1-ce00-000000000000 |
| Microsoft Outlook | 5d661950-3475-41cd-a2c3-d671a3162bc1 |
| Microsoft 365 Security and Compliance Center | 80ccca67-54bd-44ab-8625-4b79c4dc7775 |
Alternatively, ask yourself how often your non-administrative users use PowerShell or CLI-based tools to create these modifications. Identifying outliers in the various applications creating junk mail configuration changes or forwarding rules can point you to adversaries using their own scripts.
Once you detect suspicious email activity using the above criteria, you may be able to validate those detections by investigating related alerting from your identity provider.
Although it’s not directly related to email forwarding rules, SearchQueryInitiatedExchange is another event that is invaluable for forensics and detection. This event is recorded in the UAL whenever a user performs a mailbox search. Simply searching a mailbox is the easiest, quickest, and most effective way for adversaries to identify sensitive mail items during reconnaissance. The logs contain the exact search query performed by an adversary,usually found in the QueryText field of the logs. The following is an example of what you can expect that log source to look like:
"QuerySource": "Email",
"QueryText": "passwords",
"ScenarioName": "outlookdesktop",
"ClientUserAgent": "Microsoft,Office/16.0,(Windows NT 10.0; Microsoft Outlook 16.0.17029; Pro)",
"CustomProperties": [
{
"Name": "UserAgent",
"Value": "officeshared.outlookdesktop"
}
],
"UserId": "REDACTED@REDACTED.com",
"ClientIP": "1.1.1.1",
"Id": "GUID",
"RecordType": 101,
"CreationTime": "2024-02-05T20:41:42",
"Operation": "SearchQueryInitiatedExchange",
"OrganizationId": "GUID",
"UserType": 0,
"UserKey": "21143112B2C58C7B",
"Workload": "Exchange",
"AppAccessContext": {
"APPId": "00000002-0000-0ff1-ce00-000000000000",
"ClientAppId": "5d661950-3475-41cd-a2c3-d671a3162bc1",
"CorrelationId": "5d661950-3475-41cd-a2c3-d671a3162bc1"
},
"Version": 1"
},To record these events, these specific logs need to be manually enabled in individual mailboxes. Some detection analytic ideas include identifying mailbox searches for the following, which may be fruitful in discovering possible enumeration attempts:
- Password-related terms:
password,passcode,login,credential,authentication,reset password - Financial terms:
wire transfer,invoice,payment,bank account,credit card,transaction,ach - Sensitive information:
ssn,social security number,dob,date of birth,personal information,sensitive data - Unusual access patterns:
access from new location,unusual login activity,unknown device,suspicious login
Combining these search terms with IP address enrichment makes for a high-value analytic since the SearchQueryInitiated events will include the originating source IP address.
Testing
Start testing your defenses against Email Forwarding Rules using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
View atomic test for T1114.003: Email Forwarding Rule. In most environments, this should be sufficient to generate a useful signal for defenders. However, consider modifying the test to input a custom rule name, like one of the commonly used rule names listed above. You can also substitute the -ForwardTo command with -MoveToFolder and specify that you’d like emails to be forwarded to one of the commonly abused folders mentioned above. In either case, you can also use the -From command to initiate these actions only when emails come from a specific sender.
Run the following command in PowerShell to execute the modified version of this test (described above):
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
New-InboxRule -Mailbox “whatever@yourdomain.com” -From "whatever@yourdomain.com" -MoveToFolder ":\Archive" -Name "#{rule_name}"This test will create an email rule that forwards email from a specified sender to the archive folder.
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.