Application security, Threat Management

BEC scammers leverage email auto-forward rules to intersect financial transactions

The FBI this week made public a private industry notification warning that business email compromise (BEC) scammers are exploiting web-based email clients' auto-forwarding rules to secretly gather intel on their targets and also hide their fraudulent communications.

Moreover, if organizations fail to sync their web-based email clients with their desktop-based clients, this suspicious activity may go unnoticed by infosec personnel.

According to the alert, scammers who are able to obtain and compromise the email credentials of an employee can then alter the auto-forwarding rules of the victim's web-based client to send any inbound communications to their own attacker-controlled email addresses.

They can even configure the settings so that only emails featuring certain message attributes or keywords (like "receipt" or "payment") will be forwarded to them. Such emails would likely contain solid intelligence, including what colleagues, vendors or partners the compromised employee is actively working with, as well as payment and bank account information.

“For example, if there is a DocuSign attachment, those can be forwarded to a [malicious] third party,” said Chris Morales, head of security analytic at Vectra. “In this way, the attack is passive and harvesting information without having to perform any form of active monitoring. This reduces the chance of detection to find the attack as there is nothing malicious installed and only the behavior of forwarding is occurring.”

“After the initial intrusion, forwarding emails is a rather benign activity compared to other data exfiltration methods," making such actions easy to fly under the radar, said Brandon Hoffman, chief information security officer at Netenrich. "The information gleaned from the forwarded email will be the critical foundation for completing the scam. Data contained in these emails will make the scam emails significantly more credible sounding by referencing other projects and people and potentially giving access to images and other contact information, widening the information the attacker has on the organization.”

Using the information they have gathered, the attackers can fake a business email from one of the compromised victim's colleagues, vendors or partners in an attempt to trick the employee to initiate a funds transfer to a malicious account. Or vice versa – the attacker could impersonate the employee and send a fake financial request to his various contacts.

The attacker goldmine: Financial transactions and IP

“The most typical use case is in a company that conducts frequent financial transactions,” said Asaf Cidon, senior vice president of email protection products at Barracuda Networks, and assistant professor at Columbia University. “The attacker sets up the forwarding rule on an employee involved in such transactions – e.g. a real-estate broker [or] an employee in the financial/procurement department – which allows them to get a continuous feed of all the relevant emails being sent to and from that account.”

“Once they observe a significant financial transaction taking place, they can insert themselves into that transaction, typically by sending an email that impersonates a person on that email chain. We call such attacks ‘conversation hijacking.’"

Those hijacked conversations often come from spoofed, lookalike email addresses that are just slightly different from the genuine one. Even so, the attackers might still use the auto-forwarding rules at that point to ensure that no legitimate business emails reach the compromised target’s actual email address, so suspicions aren’t aroused and the scheme isn’t sniffed out.

If brazen enough, “really sophisticated attackers may even send the fraudulent email from the actual compromised mailbox, and set up a script that automatically deletes the malicious email from that person’s sent item folder or any responses to that email, so they can evade detection,” said Cidon.

The FBI alert, which initially was distributed privately to companies on Nov. 25, cites two prominent recent examples of BEC schemes that used auto-forwarding rules. In August 2020, attackers manipulated auto-forwarding on the web-based email client of a U.S.-based medical equipment company as part of a BEC scam that netted $175,000. The same actors also compromised a manufacturer and created email rules so that they would be forwarded any emails featuring the terms "bank," "payment," "invoice," "wire," or "check.”

"I have personally seen this type of attack as far back as the days of Microsoft Exchange and 'on-prem' OWA [Outlook on the web], so it is nothing new," said Wade Woolwine, principal security researcher at Rapid7. "But it's becoming a more and more attractive technique for attackers who have little trouble phishing credentials, logging into SaaS email providers, and implementing auto-forwarding rules."

"Typically, you'd see this kind of behavior in attacks that are targeting intellectual property or other sorts of competitive information. Industries such as the legal sector, manufacturing, and any other sector that invests heavily in research are particularly impacted by this type of attack," Woolwine continued.

According to the FBI, if a web-based client’s forwarding rules do not sync with the desktop client, theses kinds attacks can go unnoticed by security administrators, who sometimes don’t have good visibility into the web client’s rules, especially in remote working environments like the kind that have sprung up since the COVID-19 pandemic began.

The alert explains: “While IT personnel traditionally implement auto-alerts through security monitoring appliances to alert when rule updates appear on their networks, such alerts can miss updates on remote workstations using web-based email. If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application. This leaves the employee and all connected networks vulnerable to cyber criminals.”

“Even after a financial institution or law enforcement contact warns a victimized business of a potential BEC, a system audit may not identify the updated email rules if it does not audit both applications, increasing the time a cybercriminal can retain email access and continue BEC activity,” the alert continues.

This lack of automatically synching is “actually a feature, not a bug of email,” explained Cidon. “By not having to remain 100 percent synchronized, users can work on email even if their computer is offline or if they are in a bandwidth-constrained network. However, from an email security standpoint, it is very important to deploy systems that monitor the source of email traffic – the web server – rather than focusing on the clients, which may be out-of-sync and are distributed on many different mail clients and devices (phones, laptops, etc.). Beyond the security implications, deploying and maintaining such client-based solutions is typically much more difficult than server-based ones.”

Manual versus automated defense

To combat BEC scams that leverage auto-forwarding, the FBI listed several recommendations, starting with ensuring that desktop and web email applications are running the same version and properly syncing.

Other suggestions include disallowing automatic email forwarding to addresses outside your organization, checking incoming emails for spoofed “lookalike” addresses, practicing multi-factor authentication for email, double checking suspicious financial requests with management before performing the transaction, monitoring the Email Exchange server for configuration and rules changes, and creating a rule to flag any communications in which the “reply” email address is different from the “from email address.” (See the notification for the full list of recommendations.)

Morales said MFA and blocking email forwarding are among the most important preventative steps, and are fairly straightforward. Continuous monitoring of suspicious behaviors is also important, but much harder, he added. “Monitoring in an Office 365 environment requires parsing through massive amount of logs and data on user behaviors which must then be baselined and interpreted as authorized or unauthorized. It is a hard problem to solve using manual analysis and is a problem that is well addressed using machine learning techniques.”

"There are multiple ways organizations can protect themselves from these sorts of attacks, including stronger security controls, improved security awareness training, and more resilient business processes," said Matthew Gardiner, principal security strategist at Mimecast. "Perhaps a more interesting question is why so many organizations don’t appear to be making these well-known investments and changes."

Just last week, it was reported that a Russian dark web forum was found selling the stolen credentials of hundreds of C-suite executives from various global companies. Such a database represents a treasure trove of usernames and passwords that could potentially be used to initiate a highly convincing BEC scam designed to trick lower-level employees into thinking their bosses have asked them to conduct a money transfer. Adding an auto-forwarding component would make such a scam all the more difficult to detect and eradicate.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.