T1114.003 Email Forwarding Rule
Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.1 Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim’s emails even after compromised credentials are reset by administrators.2 Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.34
Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.2
| Item | Value |
|---|---|
| ID | T1114.003 |
| Sub-techniques | T1114.001, T1114.002, T1114.003 |
| Tactics | TA0009 |
| Platforms | Google Workspace, Linux, Office 365, Windows, macOS |
| Permissions required | User |
| Version | 1.2 |
| Created | 19 February 2020 |
| Last Modified | 15 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0094 | Kimsuky | Kimsuky has set auto-forward rules on victim’s e-mail accounts.7 |
| G0122 | Silent Librarian | Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis. |
| M1042 | Disable or Remove Feature or Program | Consider disabling external email forwarding.5 |
| M1041 | Encrypt Sensitive Information | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
References
-
US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. ↩
-
Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. ↩↩
-
McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. ↩
-
Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021. ↩
-
Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021. ↩
-
DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. ↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩