General
This alarm is triggered when a mailbox is set to automatically forward all incoming emails to an external email address.
Rationale
Automatically forwarding emails is a common tactic used by attackers after they have gained access to a mailbox. It allows them to monitor email flows and gather information that can be used for deception.
A common example is copying legitimate payment requests within the organization or to external partners to deceive someone into transferring money to an incorrect bank account.
This is referred to as CEO fraud or BEC (Business Email Compromise). The average damage from CEO fraud is around 50,000 Euros, according to the FBI. It affects many organizations and is therefore a reason to take action against it.
At the same time, it is quite possible that the forwarding of emails is done deliberately by an employee, but not necessarily with malicious intent. For example, to process certain emails elsewhere. Or emails are automatically forwarded to cloud services. In such cases, it is advisable to pay close attention to who is forwarding what to prevent data leaks.
Follow-up
Follow these steps to adequately respond to this detection.
First, it is important to realize that this change may have been made by the employee who owns the mailbox OR another employee with Exchange Administrator rights.
Attic shows who made the change and which mailbox the change pertained to.
- Contact the employee who made the change to validate that the setting to automatically forward emails was intentionally adjusted.
-
If not: consider the employee account that made the change as compromised:
- Reset the employee's password
- Revoke all logged-in sessions of the employee
- Remove the forwarding rule
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised if the executing user is different from the mailbox owner.
-
If yes: assess whether the purpose of forwarding conflicts with company policy.
- If yes: remove the forwarding rule and provide an explanation to the employee(s)
- If no: close the Attic incident as resolved
-
If not: consider the employee account that made the change as compromised:
Comments
0 comments
Please sign in to leave a comment.