FBI Warns of BEC Scammers Exploiting eMail Forwarding Rules
The FBI has released a Private Industry Notification warning that cyber threat actors are exploiting email forwarding rules to evade detection while conducting business email compromise (BEC) attacks. The thieves are setting email forwarding rules on web-based email clients. If the company admins have not synced email settings for web-based email accounts and desktop clients, the forwarding rule changes could go unnoticed.
Compromising credentials of internet-accessible email accounts continues to be a target, and in many cases, low-hanging fruit. Implement multi-factor authentication on all internet-accessible services. If you must enable password access, ensure passwords are sufficiently robust; review NIST SP 800-63-3 (https://pages.nist.gov/800-63-3/) for guidance. Make sure that account lock-out and misuse detection on those services are enabled and actively monitored to detect malicious activities.
These types of attacks have been around for several years; many SIEM products have rules to detect and alarm on mail forwarding changes. Microsoft, SecureSky, and the Center for Internet Security have updated the Microsoft 365 Foundation Benchmark to v1.2 that also addresses mitigating the forwarding risk.
This is an important warning from the FBI. We've been involved in several email hijacking cases where forwarding rules were set by the criminals at the server side, be that an on-premise or cloud based solution. However, the criminals have made the changes noted by the FBI which have been overlooked by the clients in their initial investigation. Also, be aware this vulnerability can be exploited on older installations of Microsoft Outlook which we have seen in several cases. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide