Subscribe to Email Updates



FBI Warns of Hackers Abusing Email Forwarding Rules in Recent Attacks

By Graham Cluley on Dec 03, 2020 | 0 Comments
  • Remote-working has seen wider use of web-based email services
  • Hackers have compromised web-based email systems to plant auto-forwarding rules to help them scam businesses

The FBI has warned businesses of the threat posed by cybercriminals who create auto-forwarding rules on their victims' web-based email services, in an attempt to make them more susceptible to Business Email Compromise (BEC).

According to an industry alert issued by the FBI last week, and first reported by ZDNet, the problem has become worse with the huge shift towards remote working seen at many businesses following the COVID-19 pandemic.

With email auto-forwarding rules in place, criminals hope to conceal their activities from their victims, and those tasked with protecting staff.

To make its point, the FBI described two incidents - both of which took place in August - where fraudsters had exploited auto-forwarding email rules for their own gain.

In the first example, the FBI described how cybercriminals managed to create auto-forwarding rules at the recently upgraded webmail client of a US-based medical equipment company.

Unfortunately, the company's webmail settings did not sync with the firm's desktop client, meaning that the firm's security team had no visibility on the auto-forwarding rules running on the web app.

According to the FBI, hackers gained access to the company's network and posing as a known international vendor ultimately tricked their corporate victim into paying them $175,000.

In the second example described by the FBI, the same hacking gang created three auto-forwarding rules at the web-based email system used by an unnamed manufacturing company: 

"The first rule auto-forwarded any emails with the search terms "bank," "payment," "invoice," "wire," or "check" to the cyber criminal’s email address. The other two rules were based off the sender's domain and again forwarded to the same email address."

The onus is clearly on system administrators to ensure that web and desktop email clients are routinely syncing their auto-forwarding rules to ensure that they are properly visible to IT personnel.

Furthermore, after a security breach is discovered it would be wise for IT staff to properly audit auto-forwarding rules at both web-based and desktop email clients to ensure that they are not compromised.

It's not unusual for criminals to put email auto-forwarding rules in place to ensure that they gain visibility all messages received by a particular user, without having to go to the effort of logging into their account multiple times a day. Furthermore, once an email forwarding rule is in place it continues to operate even if a user changes their email account password in the mistaken belief that that might lock out intruders.

And, as we have previously described, fraudsters have even used email rules to prevent users from receiving warnings from their IT support department about hacks and attacks, by looking for certain keywords and automatically deleted the emailed alert.

Share This Post On

Author: Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.