Abusing email rules


For the average email user, setting up rules like automatic email forwarding is a harmless exercise. But for the individual whose role it is to prevent security breaches and achieve compliance, email rules and forms can turn into a nightmare situation in seconds.

Hackers can break into a person’s email client and create rules to forward incoming emails to their server, delete certain messages (such as legitimate warnings) and even format the victim’s hard drive to cover up any evidence if needed. Any rich email client (such as Outlook and Mozilla Thunderbird) allowing users to set up rules can be abused to perform malicious actions.

With Outlook, for instance, you can instruct the client to display an item alert, play a sound or move an item to a specific folder if the email subject line contains a certain set of keywords.

What’s eye-opening about these rogue email rules is that the data lives on the email client’s server. This means potential targets cannot prevent hackers from executing malicious programs by simply changing computers, updating their passwords or erasing their hard disk. Unless they check the email client, the rules will live through all types of software updates and bug fixes.

Examples of email rule attacks

One of the most recent cases of an email rule attack was uncovered by the co-founder and chief visionary of TRIBU & CROFTi.

One of CROFTi’s clients asked the company for assistance in getting to the root of suspicious wire transfers. They were almost about to lose a million dollars, and only realized that they’d been scammed at the last minute. Fortunately, they were able to get in touch with their bank and cancel the transfer.

CROFTi launched an investigation on their behalf and found that some of the company staff’s Office365 accounts had (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dan Virgillito. Read the original post at: