FBI Names Forwarding Rules a Business Email Compromise Culprit

Yet another work-from-home cybersecurity risk: Even with good email security diligence, cyberattackers can exploit email forwarding rules to scam businesses of all sizes out of millions of dollars, due in part to delays in synchronization between desktop and web email clients. Among the key recommendations for mitigating that risk is that email security administrators limit users’ ability to create email forwarding rules that send outside the main business domain. 

Based on its investigation of a series of 2020 business email compromise (BEC) attacks, the FBI announced on Nov. 25 that businesses should beware of tactics that use forwarding rules to monitor and manipulate victims’ email accounts, providing an in for criminals to intercept payment requests. The attacks were likely catalyzed by more employees using web-based email applications while working from home due to COVID-19. Web-based email client settings often don’t automatically sync with the desktop client, helping conceal the criminal activity and leaving businesses vulnerable to costly BEC campaigns — further contributing to already growing BEC attack trends.

Although the FBI didn’t say so, the announcement likely emerged from an investigation the Bureau took over from Israeli cybersecurity firm Mitiga. The firm discovered a global business email compromise campaign that diverted at least $15 million and apparently targeted 150 or more different companies. Forwarding and filtering rules that were used to help attackers spy on victims’ email communications went undetected, allowing them to hijack and spoof legitimate payment-related emails for financial gain, according to Mitiga.[1]

The Multibillion-Dollar Price of Business Email Compromise

BEC is a growing attack trend that usually aims to scam organizations by tricking employees into wiring money to fraudulent bank accounts. According to the 2019 FBI Internet Crime Report, BEC resulted in $1.7 billion in losses that year, with victims reporting an average loss of nearly $75,000.[2] Tactics like social engineering and domain spoofing are regularly employed to help boost an attack’s chances of success, but as noted by the FBI and Mitiga, other techniques like covert use of forwarding rules are also appearing.

Forwarding Rules’ Role Shown in Two August 2020 BEC Attacks

For example, the FBI said that a BEC attack in August 2020 scammed $175,000 from a US-based medical equipment company. In that attack, cybercriminals created forwarding rules in an email web client that did not sync to the desktop application. The forwarding rules went unnoticed, and the attackers were able to fly under the radar, conducting reconnaissance that ultimately helped them impersonate a legitimate international vendor, set up a spoofed domain and intercept a payment. The attacker also used a UK-based IP address to help seal the deal.

In another attack from August 2020, the same cybercriminal created three forwarding rules within the web-based email client used by a manufacturing company, according to the FBI. One rule forwarded all emails with the terms “bank,” “invoice,” “payment,” “check,” or “wire” to the criminals’ external email address. The other two forwarding rules sent emails from a specific domain to the same criminal email address.

The FBI noted that even if IT personnel enable auto-alerts any time an email rule is added to or updated within the network, forwarding rules may go unnoticed if web and desktop email clients aren’t actively synced. In other words, alerts might miss updates on remote workstations using web-based email applications — leaving the employee and all connected networks vulnerable. What’s more, system audits may not always identify updated email rules unless both the desktop and web client are audited. Two audits take longer, increasing the amount of time cybercriminals can maintain access to the compromised account.

AI-Based Email Monitoring Defenses Are Most Potent Defense

In its notification, the FBI offered a series of tips to help mitigate potential vulnerabilities from forwarding-rule BEC tactics. But the most potent defense against such subtle attacks is probably artificial intelligence, noted Elaine Lee, Staff Data Scientist at Mimecast. “AI-based defenses can establish each employee’s usual patterns of communication, and then use that as a benchmark against which to identify anomalies and automatically generate alerts on a threat,” said Lee.

“Just a single email can be broken down into hundreds of features, from basic information like sender and recipient to textual features like the number of verbs in the body text,” Lee explained. “Traditional rule-based cybersecurity defenses typically rely on a limited number of features and keyword identification, which decrease their accuracy. Correctly applied, artificial intelligence models are able to assess an incoming email based on far more factors and classify it almost instantaneously.” Further, AI-based email defenses continually learn and can automatically adapt as attacks evolve.

Until your organization is ready for AI, though, top recommendations from the FBI and Mimecast security experts are to:

• Restrict the ability to create forwarding rules that forward email to external addresses.
• Make sure both web and desktop applications are up to date and synced.
• Always doublecheck email addresses for small changes that might be otherwise hard to detect, such as character substitutions, different top-level domains or typos.
• Be cautious of any sudden or last-minute changes to otherwise established email addresses, e.g. sending a payment to a different account than usual.
• Enforce regular password updates to reduce the likelihood stolen credentials remain useful.
• Enforce two-factor or multifactor authentication (2FA, MFA) for all email accounts.
• Enable alerts for suspicious activity, such as logins or remote access from new locations and/or devices.
• Avoid using legacy email protocols like IMAP, POP, and SMPT1 — they can be used to successfully circumvent MFA.
• Regularly monitor email server logs for abnormal email access and modifications like new custom forwarding or filtering rules for certain accounts.
• Log and retain any changes to mailbox settings and login info for at least 90 days.
• Flag all emails where the “reply to” address differs from the “from” address.
• Add external email warning headers to all inbound messages originating from outside your organization.
• Use security features that block malicious email and incorporate anti-phishing and anti-spoofing policies.
• Establish procedures that encourage employees to verify payment requests, whether routine or suspicious.

The Bottom Line

As part of the growing trend of business email compromise campaigns, bad actors are using email forwarding rules to conceal their activities after gaining access to victims’ email accounts. When updated on a web-based email client, forwarding rules often do not sync with the desktop client, reducing visibility into any discrepancies and making it easier for cybercriminals to carry out scams. Still, similar attacks can be minimized with the proper proactive processes and good cyber hygiene.

[1] “Mitiga is Cooperating with Law Enforcement on a Global Business Email Compromise (BEC) Campaign that Has Netted Over $15M.,” Medium

[2] “2019 Internet Crime Report Released,” FBI.gov