We would like to shed light on this widely used feature across organizations that has some critical security risks associated with it. The Auto-forward e-mail feature is what we’re talking about. You may have used the feature to forward emails to your colleagues while you’re off work. As much as the feature proves to be handy, unfortunately, it has been a victim of leveraging some of the stealthiest attacks to date. These attacks are mostly financially motivated. 

An attacker can abuse the auto-forward feature by creating rouge mail rules, resulting in data leakage, secure foothold inside the mailbox, Business Email Compromise (BEC), and is usually a stepping stone for lateral movement within the organization. This is even more threatening because once a rouge rule has been applied, the rule remains operative  even if the victim changes the password for the compromised account or implements multi-factor authentication. . For example, an attacker can customize the rule to selectively forward only those emails which contain the keywords like bank, wire, invoice, check, or payment. There have been numerous case studies out there that state how hackers were able to lure millions of dollars by chaining social engineering attacks and then taking advantage of the auto-forward mail feature. 

A typical attack scenario starts with the attacker trying to get access to the victim’s mailbox through phishing attacks. Once the attacker has access to the mailbox, to maintain persistence the attacker will set up an auto-forward mail rule to not have to log in every day which could trigger a security warning of a suspicious login. The rule may forward all the incoming emails or the attacker could be selective depending on the content, like email containing keywords such as invoices and payment will be forwarded. The attacker can then create a spoofed email address with a similar domain name (by manipulating a single alphabet) and reply to the emails. An attacker can ask for payments to his/her bank account. The client being unaware of the attack and trusting the spoofed email address and the domain would wire the payments. The attacker can be a lot more creative with the attack scenario which would make it difficult for organizations to detect the attack.  

The first step towards mitigation is to look at your mailboxes to ensure that no malicious mail rules have been previously made. It’s possible to prevent users from implementing such rules totally but there are plenty of situations where teams use automated mail rules. If using Microsoft Office 365, there’s an out-of-the-box alert feature in the Security and Compliance Centre that notifies when a forwarding or redirect rule has been implemented. Admins receive the alert via email. Another solution would be to disable Remote Powershell for normal users as a threat actor could use Remote Powershell to enable Auto Forwarding on an account, bypassing any multi-factor authentication in place. To sum up, all the attacks that leverage the auto-forward email feature have a similar foundation that is phishing. Employees should be provided with enough awareness and training on how to be safe and how to identify if an email is coming from a legitimate source.