This is especially true in cases with hidden auto-forwarding rules. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.ĭetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. Use of encryption provides an added layer of security to sensitive information sent over email.
Ĭonsider disabling external email forwarding. In addition to this, a MAPI Editor can be utilized to examine the underlying database structure and discover any modifications/tampering of the properties of auto-forwarding rules. In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules. Įnterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis. Silent Librarian has set up auto forwarding rules on compromised e-mail accounts. Kimsuky has set auto-forward rules on victim's e-mail accounts. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools. Īny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.
Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. These rules may be created through a local email application, a web interface, or by command-line interface. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.
Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Adversaries may setup email forwarding rules to collect sensitive information.
0 kommentar(er)
