General
This alarm is triggered when an administrator creates a transport rule that automatically forwards all incoming emails to an external email address.
Rationale
Automatically forwarding emails is a commonly used tactic by attackers after they have gained access to a mailbox. It allows them to monitor email flows and gather information that can be used for deception.
A common example of this is that legitimate payment requests within the organization or to external partners are copied to trick someone into transferring money to an incorrect bank account.
This is known as CEO fraud or BEC (Business Email Compromise). The average damage from CEO fraud is around 50,000 Euros, according to the FBI. It affects many organizations and is therefore a reason to take action against it.
At the same time, it is quite possible that the forwarding of emails by an employee is done deliberately, but not necessarily with malicious intent. For example, to process certain emails elsewhere. Or emails are automatically forwarded to cloud services. In such cases, it is advisable to pay close attention to who is forwarding what to prevent data leaks.
Follow-up
Perform these steps to adequately follow up on this detection.
- Contact the administrator who made the change to validate that the setting to automatically forward emails was intentionally adjusted.
-
If not: consider the administrator account that made the change as compromised:
- Reset the employee's password
- Revoke all logged-in sessions of the employee
- Remove the transport rule
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised if the executing user is different from the mailbox owner.
-
If yes: assess whether the purpose of the forwarding conflicts with company policy.
- If yes: remove the transport rule and provide an explanation to the employee(s)
- If no: close the Attic incident as resolved
-
If not: consider the administrator account that made the change as compromised:
Comments
0 comments
Please sign in to leave a comment.