UPDATED 06:00 EST / SEPTEMBER 20 2023

SECURITY

Research warns email rules are being weaponized by cyberattackers

Cloud cybersecurity firm Barracuda Networks Inc. today released new research on how attackers are using malicious email rules after compromising corporate networks to steal information and evade detection.

Automated email inbox rules are highly useful for managing the deluge of emails many experience in their working lives. Inbox rules help categorize, forward or even delete emails based on specific criteria set by users. However, as the Barracuda Networks research shows, their convenience can also serve as a tool for cyberattackers.

The research details how once an attacker has access to an account, they can use email rules to hide inbound emails like security alerts or cover their tracks from the owner of the account. Using email rules, an attacker can conceal activities, exfiltrate data by setting rules to forward emails containing specific keywords to external addresses and undertake business email compromise attacks by impersonating senior executives.

The research notes that along with exploiting email rules for business email compromise, they have also been leveraged in targeted nation-state attacks, remaining undetected even when additional security measures have been applied.

Three allegedly state-sponsored threat actor groups are known to use email rules as part of their attack toolkit — Kimsuky, LAPSUS$ and Silent Librarian. Of the three groups, LAPSUS$ is the best known, having breached Okta Inc. and Microsoft Corp. in March 2022 and prior to that, Nvidia Corp. and Samsung Electronics Co. Ltd.

Because email rules hide in plain sight, the research warns that multifactor authentication and password changing are ineffective defenses once an account is breached. Barracuda Networks instead recommends that companies focus on prevention and incident response to identify breached accounts and mitigate the impact.

“Because inbox rule creation is a post-compromise technique, the most effective protection is prevention — stopping attackers from being able to compromise the account in the first place. But you also need effective detection and incident response measures in place to identify breached accounts and mitigate the impact,” the research notes. “This includes having full visibility of every action being taken in every employee’s inbox, what rules are created, what’s been modified or accessed, the user’s logon history, the time and the location and context of emails sent.”

Image: Ideogram

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU