Microsoft Outlook is arguably the most popular and feature-rich email client out there and has long been abused by cybercriminals as vulnerabilities are exploited, but Gmail, Mozilla Thunderbird, eM Client, Mailbird Pro and other email clients have also been targeted by the bad guys, but to a far lesser extent.
Outlook, like other popular email clients, offers a way to automatically manage emails, they are called rules. In Gmail, they are known as filters and have less functionality, but Gmail also has templates and add-ons that can be every bit as feature rich as Outlook rules.
Mozilla Thunderbird has add-on, extensions, and templates. Apple Mail has rules that can be tied to AppleScripts. In general, if there’s a popular email client, there’s a way to add automated personalized email handling, and hackers are willing to abuse it.
Depending on the email client and server, these automation features can be enabled locally, follow the email client, or be applied on the server or in the cloud. Where the automation is enabled is important, especially when trying to look for that automation, and when determining which steps to take to prevent, detect, and eradicate malicious actions.
Attackers have always been adept at using legitimate automation tools and features against us. A programming rule is, “Why do something manually when you can automate it?” apparently applies to cybercriminals as well.
When cybercriminals automate, it makes their efforts more effective in terms of both success, lower cost, and it makes the attacker far less likely to be caught. For decades, phishers and other attackers have used email automation functionality, such as rules, scripts, add-ons, templates, and configuration settings, against their victims.
Are you wondering how the hacker is doing it?
The following are some of the way’s rules can be used against you:
- Auto Forward
It’s very common for hackers to set up an auto-forward rule so that every email you receive is forwarded to them automatically. Now, that may seem odd until you start thinking about account recovery and related scenarios. It’s one of the ways that hackers use your email account to hack into your other accounts including those online services, like your bank.
- Reply to Address
Hackers can change the Reply-to address so that people replying to your email reply to the hackers instead. Sometimes, it’s obvious that the reply address is completely different. Other times, there will be very subtle changes, like a single letter difference in the email address that the person replying to you doesn’t notice. Worse, a hacker might use your name as the ‘display name’ to hide a completely different email address
- Hide Rules
There are even ways to “hide” rules to make it harder for you to detect a breach. Many email items, like rules, “travel” with the email client as they are server based, meaning that even if you change your passwords or get a new device, any malicious modifications may still be there.
Over the years I’ve received calls from people who believe they’ve been exploited by a hacker who has taken over their email account. They go through the normal process of changing their passwords, scan systems, and even get a new device to stop the attacker, but the attacker continues to abuse their email system.
Although it can be something else besides rules (i.e. templates, add-ons, etc.). The problem with the malicious misuse of email automation is that most email users are not email administrators, therefore are unaware of the problem or how to safeguard themselves.
Malicious email automation is rarely detected by anti-malware software and vulnerability scanners. When was the last time your anti-malware program or vulnerability scanner warned you about a potentially malicious email rule, add-in, or template?
If you are concerned about cybersecurity, your email setup or want to know how to defend against potential future rule-based attacks, call us for a no-obligation discussion on 1300 551 486