John Pescatore - SANS Director of Emerging Security Trends
“Living off the Land” Variant: Phishing to Change Email Forwarding Rules
This week's Drilldown will focus on one item (included below) from NewsBites Issue 95, which summarized an FBI warning about "business email compromise" attacks exploiting email forwarding rules to steal information.
In the 2020 SANS Top New Attacks and Threats Report, SANS instructor Ed Skoudis described the increasing volume of Living off the Land (LotL) attacks, describing them as "using the OS as a rootkit against itself." In effect, attackers are using pieces of the operating system to attack the operating system, guided by thinking about what a SOC analyst will interpret when looking at those events. Essentially, attackers are social engineering the analyst by avoiding the need to download an attack payload and creating malicious effects that look like normal activity on the system.
The attack described by the FBI takes a LotL approach to attacking email--programmatically changing email forwarding settings to send a copy of the victim's every email to the attacker. All it takes is one email attachment with a spreadsheet or a .csv download from a sensitive database, and a breach is complete.
This attack hit close to home here at SANS. In August we disclosed that one of our users had fallen for just such a phishing attack, and a spreadsheet with the personally identifiable information (but no financial data) of 28,000 individuals was exposed. While SANS, for obvious reasons, has an extremely thorough cybersecurity controls program, the ability of such an attack to work on Office 365 email rules turned out to exploit a gap.
The ways to avoid this are pretty straightforward:
- Two-factor authentication is the biggest impediment to phishing attacks. Most users are using this in their personal life and will accept it in their work life.
- Recent updates to cloud and SaaS security configuration guidelines or benchmarks have secure configurations. I mentioned the CIS Microsoft 365 Foundation Benchmark v1.2, and there are individual guidelines from all the business email providers.
- Most SIEM products have existing alarms on changes in email forwarding rules. If nothing else, you can detect faster.
Bottom line: Securely configuring applications and services is an essential security practice to prevent LotL attacks. Multifactor authentication (MFA) is increasingly familiar to users and is the real key to raising the bar against phishing attacks.
FBI Warns of BEC Scammers Exploiting Email Forwarding Rules
(November 25 and December 1, 2020)
The FBI released a Private Industry Notification (PIN) warning that cyber threat actors are exploiting email forwarding rules to evade detection while conducting business email compromise (BEC) attacks. The thieves are setting email forwarding rules on web-based email clients. If the company admins have not synced email settings for web-based email accounts and desktop clients, the forwarding rule changes could go unnoticed.
[Neely] Compromising credentials of internet-accessible email accounts continues to be a target, and in many cases, low-hanging fruit. Implement MFA on all internet-accessible services. If you must enable password access, ensure passwords are sufficiently robust. Review NIST SP 800-63-3 (https://doi.org/10.6028/NIST.SP.800-63-3) for guidance. Also, make sure that account lockout and misuse detection on those services are enabled and actively monitored to detect malicious activities.
[Pescatore] These types of attacks have been around for several years, and many SIEM products have rules to detect and alarm on mail forwarding changes. Microsoft, SecureSky, and the Center for Internet Security (CIS) have updated the Microsoft 365 Foundation Benchmark to v1.2, which also addresses mitigating the forwarding risk.
[Honan] This is an important warning from the FBI. We've been involved in several email hijacking cases where forwarding rules were set by the criminals at the server side, be that an on-premises or cloud-based solution. However, the criminals have made the changes noted by the FBI and overlooked by the clients in their initial investigation. Also, be aware this vulnerability can be exploited on older installations of Microsoft Outlook, which we have seen in several cases. For more information, see https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide.
Read more in:
FBI: Private Industry Notification | Cyber Criminals Exploit Email Rule Vulnerability to Increase the Likelihood of Successful Business Email Compromise (PDF)
ZDNet: FBI warns of email forwarding rules being abused in recent hacks
Security Week: FBI Warns of Auto-Forwarding Email Rules Abused for BEC Scams