General
This alarm is triggered when a new forwarding rule is created in the mailbox within the organization. Such rules are intended to automatically perform an action on certain emails, and in this case, the action is to forward the email to an address outside the organization.
Rationale
Automatically forwarding emails is a common tactic used by attackers after they have gained access to a mailbox. It gives them the opportunity to monitor email flows and gather information that can be used for deception.
A common example is that legitimate payment requests within the organization or to external partners are copied to deceive someone into transferring money to an incorrect bank account.
This is referred to as CEO fraud or BEC (Business Email Compromise). The average damage from CEO fraud is around 50,000 Euros, according to the FBI. It affects many organizations and is therefore a reason to take action against it.
At the same time, it is quite possible that the forwarding of email by an employee is done consciously, but not necessarily with malicious intent. For example, to process certain emails elsewhere. Or emails are automatically forwarded to cloud services. In such cases, it is advisable to pay close attention to who forwards what to prevent data leaks.
Follow-up
Follow these steps to adequately respond to this detection.
- Contact the employee to validate whether the forwarding rule was created consciously.
-
If not: consider the employee account as compromised:
- Reset the employee's password
- Revoke all logged-in sessions of the employee
- Remove the forwarding rule
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?)
-
If yes: assess whether the purpose of the forwarding rule conflicts with company policy.
- If yes: remove the forwarding rule and provide an explanation to the employee(s)
- If no: close the Attic incident as resolved
-
If not: consider the employee account as compromised:
Comments
0 comments
Please sign in to leave a comment.