Simplifying SaaS security


Got phished? How attackers gain permanent access to your organization’s data with email auto-forward rules

In a modern cloud-based business, messaging is critical. Your staff often want to be able to use any device from any location to send and receive email; and if it’s not an option, they will create auto-forwarding of work emails to get around the rules to their personal accounts which offer this flexibility. That may not sound terrible at all if you can trust your staff to do the right things?

The real issue with automatic email forwarding

The real issue lies in email phishing and credential theft. While organizations do their best to help prevent employees from being phished, everyday thousands of people click on a phishing email which leads to their credentials being stolen. This is when email auto-forward rules become highly relevant as a weapon for the attackers to learn about the compromised users and their organizations. The attackers use auto-forward rules as a next step to secure a foothold inside the users’ accounts even after they can no longer access them when the passwords have been changed and multi-factor authentication enabled. The attackers can quietly learn from emails which are auto-forwarded to their inboxes, to create more phishing emails and steal valuable data, e.g. Board minutes, trade secrets, financial information disclosed in the emails. 

In fact, it is widely known that an auto-forward rule to an external domain is a common indicator of a business email compromise by external hackers. Log in, create a forward rule and then monitor from afar before attempting an invoice or account fraud is a very successful technique. According to AIG, business email compromise is the number one driver of cyber insurance claims in 2018.

If it is an established threat vector, why do Office 365 Exchange and G-Suite allow users to create auto-forward rules? 

It is quite a common practice to auto-forward emails of former employees to a manager. Administrators of Office 365 and G Suite can do this easily. Other business use cases for auto-forward rules that have come to our attention are those that were created to route emails from cloud to on-premise accounts and auto-forward rules between internal accounts for ease of keeping people on the same page. 

On balance, at Detexian we are of the opinion that admin-created auto-forward rules to manage former employees’ inboxes have a legitimate business use case. These inboxes can also be configured so that they can’t be logged into or send emails on to external domains. Other than that, we advise organizations to get visibility of all user-created auto-forward rules to both external and internal domains, review and remove if unnecessary. We also strongly advise organizations to conduct training so that employees can become more aware of the security risks inherent in auto-forward rules and the benefits of enforcing MFA. 

How can Detexian help?

As part of our core capabilities, Detexian provides organizations with the ability to detect user-created email auto-forward rules in Office 365 and G Suite, to internal and external domains and then continuously monitor for the creation of new rules. 

But Office 365 already alerts on user-created auto-forward rules by default. How is Detexian adding value? Office 365 administrators can get alert fatigue when they manage a large user base with many system alerts coming their way. Detexian centralizes all detected auto-forward rules to a single place where customers can go check and provide historical evidence of what’s been logged and what’s changed. 

G Suite currently does not alert on user-created email auto-forward rules but G Suite admins can disable this option for all users. If this is not an option you’d like to pursue, use Detexian to keep track of these rules and monitor for changes.

Minimize effort required to monitor email auto-forward rules and reduce exposure to Business Email Compromise. Inquire now for a free 28 day trial.

Secure what you can't see in the cloud
710 Collins Street
Melbourne VIC 3008
9848 Mercy Rd #2
San Diego 92129

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2020 All Rights ReservedTerms & ConditionsPrivacy Policy