FBI Warns of Hackers Abusing Email Forwarding Rules in Recent Attacks

Reading time: 5 min
Share this Share on email Share on twitter Share on linkedin Share on facebook
  • Remote-working has seen wider use of web-based email services
  • Hackers have compromised web-based email systems to plant auto-forwarding rules to help them scam businesses

The FBI has warned businesses of the threat posed by cybercriminals who create auto-forwarding rules on their victims' web-based email services, in an attempt to make them more susceptible to Business Email Compromise (BEC).

According to an industry alert issued by the FBI last week, and first reported by ZDNet, the problem has become worse with the huge shift towards remote working seen at many businesses following the COVID-19 pandemic.

With email auto-forwarding rules in place, criminals hope to conceal their activities from their victims, and those tasked with protecting staff.

To make its point, the FBI described two incidents - both of which took place in August - where fraudsters had exploited auto-forwarding email rules for their own gain.

In the first example, the FBI described how cybercriminals managed to create auto-forwarding rules at the recently upgraded webmail client of a US-based medical equipment company.

Unfortunately, the company's webmail settings did not sync with the firm's desktop client, meaning that the firm's security team had no visibility on the auto-forwarding rules running on the web app.

According to the FBI, hackers gained access to the company's network and posing as a known international vendor ultimately tricked their corporate victim into paying them $175,000.

In the second example described by the FBI, the same hacking gang created three auto-forwarding rules at the web-based email system used by an unnamed manufacturing company: 

"The first rule auto-forwarded any emails with the search terms "bank," "payment," "invoice," "wire," or "check" to the cyber criminal’s email address. The other two rules were based off the sender's domain and again forwarded to the same email address."

The onus is clearly on system administrators to ensure that web and desktop email clients are routinely syncing their auto-forwarding rules to ensure that they are properly visible to IT personnel.

Furthermore, after a security breach is discovered it would be wise for IT staff to properly audit auto-forwarding rules at both web-based and desktop email clients to ensure that they are not compromised.

It's not unusual for criminals to put email auto-forwarding rules in place to ensure that they gain visibility all messages received by a particular user, without having to go to the effort of logging into their account multiple times a day. Furthermore, once an email forwarding rule is in place it continues to operate even if a user changes their email account password in the mistaken belief that that might lock out intruders.

And, as we have previously described, fraudsters have even used email rules to prevent users from receiving warnings from their IT support department about hacks and attacks, by looking for certain keywords and automatically deleted the emailed alert.