FBI warns of email forwarding rules being abused in recent hacks

FBI: "The web-based client's forwarding rules often do not sync with the desktop client, limiting the rules' visibility to cyber security administrators."
Written by Catalin Cimpanu, Contributor

The US Federal Bureau of Investigation says that cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts.

In a PIN (Private Industry Notification) alert sent last week and made public today, the FBI says the technique has been seen and abused in recent BEC (Business Email Compromise) attacks reported over the summer.

Also: Best VPN service in 2020: Safe and fast don't come for free 

The hackers' technique relies on a feature found in some email services called "auto-forwarding email rules."

As its name implies, the feature allows the owner of an email address to set up "rules" that forward (redirect) an incoming email to another address if a certain criteria is met.

Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day -- and be at risk of triggering a security warning for a suspicious login.

Recent spike of abuse in BEC attacks

Email auto-forwarding rules have been abused since the dawn of email clients; by both nation-state hacking groups, but also regular cybercrime operators.

But in a PIN last week, the FBI says it received multiple reports over the summer that the technique is now often abused by gangs engaging in BEC scams -- a form of cybercrime where hackers breach email accounts and then send emails from the hacked account in attempts to convince other employees or business partners into authorizing payments to wrong accounts, controlled by the intruders.

The FBI provided two cases as examples were BEC scammers abused email forwarding rules during their attacks:

  1. In August 2020, cyber criminals created auto-forwarding email rules on the recently upgraded web client of a US-based medical equipment company. The webmail did not sync to the desktop application and went unnoticed by the victim company, which only observed auto-forwarding rules on the desktop client. RSS was also not enabled on the desktop application. After the BEC actors obtained access to the network, they impersonated a known international vendor. The actors created a domain with similar spelling to the victim and communicated with the vendor using a UK-based IP address to further increase the likelihood of payment. The actors obtained $175,000 from the victim.
  2. During another incident in August 2020, the same actor created three forwarding rules within the web-based email used by a company in the manufacturing industry. The first rule auto-forwarded any emails with the search terms "bank," "payment," "invoice," "wire," or "check" to the cyber criminal's email address. The other two rules were based off the sender's domain and again forwarded to the same email address.

FBI recommends syncing email account settings

FBI officials say that the technique is still making victims in corporate environments because some companies don't forcibly sync email settings for the web-based accounts with desktop clients.

This, in turn, limits "the rules' visibility to [a company's] cyber security administrators," and the company's security software, which may be configured and capable of detecting forwarding rules, but may remain blind to new rules until a sync occurs.

The FBI PIN -- a copy of which is available here -- contains a series of basic mitigations and solutions for system administrators to address this particular attack vector and prevent future abuse.

The FBI PIN comes after the FBI reported earlier this year that BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year.

The FBI's most wanted cybercriminals

Editorial standards