5

Recently we had a security problem. One email account which is based on MS Exchange 365 was hacked and the hacker forwarded all emails per rule to a Gmail account.

I checked all relevant PCs and I didn't find any viruses. And I changed the passwords. But in this case changing the passwords didn't change anything because the rule which forwarded all the emails also worked after I changed the passwords. The forwarding only stopped once I discovered that such a rule was setup and then I deleted the rule.

How common is this hack? I never heard or read about it before. It is also still a mystery for me how the attacker accessed the email account. Probably he stole the password somewhere but I can't figure out how.

Edgar
  • 161
  • 6
  • 1
    I'm afraid that (as I'm sure you realize) no one is going to be able to tell you how the account was compromised. There are simply far too many vectors, and you're the only who is going to be able to find out (although even that's not a guarantee). You already checked any "local" machines of the affected user for signs of unauthorized access, either physical or via malware. It's possible you missed something, but if this was caused by a leaked password then you'll probably never find any evidence anywhere, unless the password shows up on HIBP (which doesn't always happen). – Conor Mancone Jul 25 '19 at 13:31
  • How did you discover the hack initially? – Conor Mancone Jul 25 '19 at 13:35
  • @ConorMancone: 1 and 2 of your answer happened. I am still investigating. – Edgar Jul 27 '19 at 00:44
  • ouch. #2 is potentially the most painful. Also called Mandate Fraud. Here's what it looks like from the other side (although it isn't pretty) https://money.stackexchange.com/questions/106081/victim-of-mandate-fraud You should also confirm that you have SPF/DKIM/DMARC properly configured for your domain. This makes spoofing your email addresses slightly harder for an attacker – Conor Mancone Jul 27 '19 at 11:13

3 Answers3

4

In my professional experience, this is not a common step from "hackers". However, I don't have any hard numbers to back that up, so I wouldn't take that statement as anything more than anecdotal evidence.

However, it's worth stating the obvious about why the hacker did this. What it really comes down to is that the attacker used this, effectively, as a hidden backdoor to continue to maintain access even after initial discovery. Indeed, this is what happened, as the attacker continued to get copies of all emails even after you reset the password on the email account. Working on the assumption that this attack scenario is less common, it suggest that this might be a more targeted attack, which is worth further scrutiny.

The fact that the hacker took this additional step means that they were interested not just in full access to the account, but that they were also interested in read-only access to incoming emails. There are three main uses I can think of for read-only access to a user's email:

1. Compromising further accounts

As long as they receive a copy of all emails, they can reset the password for any third-party accounts that the affected email address is registered with. After all it usually just takes that "reset" link to reset a password, and if they trigger a password reset they'll get a copy of the link too. They will no longer be able to delete the reset email in the original inbox, which might cause suspicion, but that won't stop them from resetting account access anyway - it just might mean they get caught quicker.

If you found out about the hack because the attacker used their access to break into other accounts, then this forward rule may simply be an attempt to extend their access and allow further "damage" even after the initial discovery. This is probably the least-painful scenario (for you).

2. Intercept business transactions (aka Mandate Fraud)

One scam I have heard of is attackers intercepting legitimate business transactions by having access to internal information from the billing team, typically for larger transactions. To pick a random example, imagine you were a roofing company and the person who owns this email address is on the billing team. They email a customer a $15,245.36 invoice and instruct them to send a check to your office. The hacker sees the same email and follows up to the customer a couple hours later with a spoofed email from the same email address (but with a different reply-to) that says, "Oh wait, there was a mistake in my last email. Please send that $15,245.36 to this address using this other payment method". This can be a very effective scam. By spoofing the same email address and injecting themselves into the conversation with full knowledge of the details of the transaction, it can be very easy to convince the person on the other end to simply do as instructed without even raising any red-flags.

If the email address belonged to someone on your accounting team, I might be worried about this kind of situation - such attacks definitely do happen.

3. Good old fashion snooping

It could be that the person wanted to have access to otherwise privileged information. This might be the case if, for instance, the compromised account belonged to someone in upper management. One example would be a lower level employee that had brief an unsupervised access to the managers computer. If the machine was left unlocked they could easily launch outlook and setup a forwarding rule in (probably) 30 seconds with practice.

I mention an employee simply because they are probably someone more likely to be "generally" interested in someone's emails without necessarily having a specific goal. While such an attack can generally be very easy to perform in an office environment, it's also obviously a bit risky, so it isn't on the top of my list of possibilities.

Summary

All this to say: personally I think this is less common, so I would be concerned that the attacker had a specific goal in mind for this particular account. I could be overly paranoid though. What this means is that it is worth considering exactly what an attacker might have to gain by continuing to have read-only access to this particular user's account. If they are someone with access to sensitive information about your company, I would be more worried.

Community
  • 1
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
0

If the attacker was able to execute PowerShell in your environment he or she could have used the Set-Mailbox cmdlet to do this. It can set up forwarding for any user and leave a copy in the original mailbox so it’s quite transparent.

Your bigger concern is: someone is able to run PowerShell in your environment with the permissions of your Exchange admin and you have not found them yet.

Gaius
  • 810
  • 6
  • 7
  • Possible. But setting up a rule in Outlook or OWA takes about a minute and is a lot easier than using PowerShell. And it can be done on a user-account without admin rights. – Edgar Jul 25 '19 at 11:23
  • True, if just the password for this user had leaked. But an attacker with an ordinary users password will still attempt to escalate it to admin, because that’s what attackers do. And it would not leave their IP address in the OWA access log. – Gaius Jul 25 '19 at 11:30
  • 1
    If the attacker had physical access, he could've used a [bash bunny](https://shop.hak5.org/products/bash-bunny) or something similar to execute this within a few seconds. Apart from that: powershell is a common tool leveraged by malicious actors (and penetration testers alike) - just because it is perceived as _hard_ should not rule out it's usage by an attacker. – mhr Jul 25 '19 at 11:30
  • 1
    Also, a hacker lives all day everyday in the command line. What is “a lot easier” for him or her, vs an average user, is very different. – Gaius Jul 25 '19 at 11:34
  • I think your overly focused on powershell and the command line. There are many ways to set forwarding rules, and by focusing on just PowerShell, you can easily lead someone in the wrong direction and cause them to miss other potential points of entry. Finally, the idea that a "hacker" lives all day everyday on the command line is an extremely broad characterization, and just not correct. – Conor Mancone Jul 25 '19 at 13:26
0

This is a very common attack vector! It is widely used in Business Email Compromise (BEC) attacks to execute financial fraud.

A BEC attack chain usually looks something like:

  • Phishing email to employees containing a link (often saying a new document has been shared with you)
  • Phishing site has a cloned Microsoft login page
  • They use stolen password to log into your account and create a mail forwarding rule for mails with certain keywords e.g. invoice/payment
  • They register a visually similar domain to yours, clone your email style and then start replying to suppliers or customers where invoices are being exchanged saying there are new banking details

Here is a story where a mail rule was used: https://pushsecurity.com/s?c=ss-bec-attack-nearly-cost-us-millions

Here is a more detailed writeup of general BEC attacks if interested: https://pushsecurity.com/s?c=ss-how-hackers-use-mail-rules

(full disclosure: these write-ups are from my company's site)

Tyrone
  • 11
  • 1
  • I'm afraid that you are going to have to explain how common the email forwarding factor of BEC is. It looks like you are mixing BEC in general with this specific tactic. A second email account provides another route of investigation, and hence, exposure, and so I'm not sure how common it is. Do you have anything on how *common* email forwarding is in BEC? – schroeder Jun 22 '21 at 15:10
  • Email forwarding is a crucial part of the attack. They get access to the email chains about payments using the rule. – Tyrone Jun 22 '21 at 15:31
  • Another data point is this FBI notice claiming $1.7B in losses: https://www.ic3.gov/Media/News/2020/201204.pdf They describe the same process using rules – Tyrone Jun 22 '21 at 15:32
  • It's not crucial at all. Once you have the credentials, you simply use them. Forwarding is for persistence. The FBI link describes losses due to BEC *in general*, not using this specific tactic. You are co-mixing the concepts. The FBI report is that the forwarding *is new* as a result of weaknesses due to WFH during the pandemic. – schroeder Jun 22 '21 at 15:49
  • The better answer is to link to the FBI report (not your company page). There ***is*** a change, but you are misrepresenting it. It's a specific threat *now* based on a change in how workers access their email. It wasn't common before because it was so easy to detect a compromise. – schroeder Jun 22 '21 at 15:50