The cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts.

PIN alerts has been seen and abused in recent BEC attacks.The hackers’ technique relies on a feature found in some email services called “auto-forwarding email rules.”

The feature allows the owner of an email address to set up “rules” that forward an incoming email to another address if a certain criteria is met.

Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day — and be at risk of triggering a security warning for a suspicious login.

BEC ATTACKS IN RISE

Email auto-forwarding rules have been abused since the dawn of email clients; by both nation-state hacking groups, but also regular cybercrime operators.

FBI says this technique is now often abused by gangs engaging in BEC scams — a form of cybercrime where hackers breach email accounts and then send emails from the hacked account in attempts to convince other employees or business partners into authorizing payments to wrong accounts, controlled by the intruders.

RECOMMENDATION

The technique is still making victims in corporate environments because some companies don’t forcibly sync email settings for the web-based accounts with desktop clients.

This, in turn, limits “the rules’ visibility to cyber security administrators,” and the company’s security software, which may be configured and capable of detecting forwarding rules, but may remain blind to new rules until a sync occurs.

The FBI PIN contains a series of basic mitigations and solutions for system administrators to address this particular attack vector and prevent future abuse.null