Beware rogue email rules and forms

Creating malicious rules and forms in a compromised email client is an old but effective hacker trick that evades traditional antimalware software. Here’s how to make sure you can detect it.

Email takeover  >  Puppeteer hands manipulating the strings of an email client
PrettyVectors / Guzaliia Filimonova / Aleksei Derin / Getty Images

Most rich email clients (Outlook, Apple, Office 365, Gmail or Mozilla Thunderbird) allow users and developers to automate tasks based on incoming or outgoing emails. Actions allowed by some of the email clients are far more sophisticated than others, although almost all email clients allow automatic email forwarding or blocking/deleting future incoming emails based on something in the targeted email. The most functional clients allow any action or coding to be performed that the computer is programmatically capable of.

For example, in Microsoft Outlook, I can tell an incoming email from a particular email address or containing a particular keyword to kick off another program or script (see below):

grimes rules 1 Roger Grimes

Microsoft Outlook Rules Wizard

Outlook on Microsoft Windows is a target-rich environment for hackers, but they can do the same thing to Apple OS X and Linux computers depending on the email client.

For over a decade, hackers have routinely broken into people’s computers (or email clients) and set up malicious rules. These rules forward incoming email to the hacker, block certain types of emails (such as legitimate warnings and confirmations), replace legitimate information on-the-fly, and other dastardly actions. They can create a rule that says to format the device’s hard drive to cover up their tracks if needed in an emergency. In most cases the user doesn’t even have to open up the email; it only needs to arrive in the user’s inbox to activate the rule.

What is extra sneaky about these types of attacks is that almost no one looks for them and they travel with the client. The information is often stored in the cloud or on the involved email server. This means a victim, even if they know they are compromised, cannot get rid of the attackers even if they format their hard drive, change devices or update their password. It follows the email client, and if the user or IT person doesn’t check there, it often lives on through all sorts of updates that would otherwise get rid of normal malware.

None of the event log alerting systems I’ve seen alerts on new email rules. They could. The events are often logged, but the alerting systems don’t check for them and can’t tell the difference between a legitimate rule and a malicious rule. Antimalware scanners don’t check for them, and if they did, I’m not sure how accurate their conclusions could be as an email rule can be almost any action.

One of the symptoms I’ve heard of is the victim complaining about how they are still hacked after days of trying to get clean. They think they’ve done everything to make sure the hacker can’t get back in, such as changing their password and getting a new machine. The hacker still gets back in. If you find yourself saying this one day, check for rogue rules.

Real-world email rule attacks

A security cybersecurity analyst friend, Rob Tompkins, came across an interesting phishing scam that used this aforementioned sneaky hacker trick. The hacker had previously obtained a user’s Outlook email address and password, probably from a standard phishing email. They then used that information to create a new rule in the user’s Outlook for Web Access portal.

Using the user’s own email account, they emailed the accounts payable (AP) department to notify them of (bogus) changes to details for accounts that the AP department regularly paid bills for. They asked the AP department to change the payee and banking information so any newly submitted invoices would be paid to a different bank and bank account.

The hackers then created a rogue rule which blocked/forwarded any replies from AP to the hacked user. That way if AP sent any confirmation emails, the employee would be unaware. Rob even noticed, during his incident response, that the hacker’s first connection attempt to the user’s email portal was from Ghana, but the company blocked overseas IPs logging on to their systems, blocking the earliest attempts. So, the attackers used a U.S.-server to connect to get around the IP blocks.

The whole scheme was caught because the fake invoices arrived with “the design and spelling of a 6-year-old” according to Rob. He was genuinely confused about why they would go to all the sophistication of their attack and then not use someone with better English skills to craft the most important part. It made him look even deeper to make sure this one attack wasn’t a precursor of something even more sophisticated. In the end, it was just another rogue email rule used by hackers and scammers for decades. Rob has been stopping them for a long time.

One of the most interesting attacks I was involved with many years ago was where a real estate escrow agency had all their computers compromised. An installed rogue email rule flipped any future real estate escrow payment instructions to wire money to another person’s bank account. The people buying real estate would get an email from their escrow agent, on the day they were told to expect the wiring instructions, in the amount they were told to expect, with everything in the email looking exactly as a legitimate email would look (including the “Be aware of fake escrow emails” warning message) with the lone exception of the bank account information.

The rule even deleted the copies of the rogue email in the sender’s Sent folder and deleted any incoming emails from buyer’s possibly questioning the instructions. Although the escrow agency discovered what was going in quickly after the first few cancelled legitimate sales, they were not able to stop the scam for over a week. The hacker was also able to send a single legitimate-looking email that always allowed them back into the system through a previously set up backdoor.

They (and their hired forensic examiners) did not look into the email rules and couldn’t figure out how the hackers were getting back in so quickly after each previous “clean-up”. Their business was severely impacted for weeks. Even now, a few years later, the company is still reeling from the disaster. They now require that all customers call them to verify the wiring instructions in their entirety and get immediate confirmation of the successful transfers.

Beware rogue forms, too

Complicating matters, it’s not only email rules that can be abused. Any part of the email client that will allow actions or scripting to be inserted is a culprit. In very complex email clients like Outlook, even its forms can be programmatically altered. Forms are templates set up to handle how some sort of interaction is treated and displayed. Everything you see in an Outlook inbox is the result of a form and its formatting. The standard email form is known as message, and there are forms for calendar appointments, tasks, etc.

The cybersecurity company SensePost, has a demonstration hacking tool called Ruler that allows anyone with someone’s Outlook credentials to remotely install an Outlook form, rogue or otherwise. They have a couple of great YouTube demos of the tool, although this one is by far my favorite. It’s a silent video, but it shows Ruler being used to install and execute the very common hacker tool, Empire.

Empire is a powerful, PowerShell-based post-exploitation hacking tool used by bad and good hackers alike. It has almost 300 post-exploitation modules. In the demo, Ruler is used to remotely install a new Outlook form into a user’s mailbox and then to remotely trigger that malicious form to install and remotely activate Empire. It’s a short video, but it shows you the power of malicious forms and how it can be done remotely. Here’s a screenshot from that demo.

grimes rules 2 Roger Grimes

Demo of Ruler installing a malicious Outlook form

The Empire tool, even without Ruler, comes with modules to install rogue rules in OS X (see example screenshot below of the Empire module and description).

grimes rules 3 Roger Grimes

Empire can install rogue email rules in OS X

When I’ve presented this subject, some people have objected to me sharing these tools for fear I’m creating more hackers. My columns and presentations are so the good guys know what the bad guys are doing. The bad guys already know of these tools and don’t have to read my columns or attend my presentations to learn about them.

Defending against rogue email and form rules

The first defense is always awareness and education. You can’t fight, or fight well, what people don’t know about. When my system is acting goofy, I check my email client and make sure I don’t have unexpected rules, forms, filters or add-ins. Event monitoring systems should find out which events are generated when a new email client addition is added, and someone should always make sure the new additions were wanted and don’t contain maliciousness.

A handful of scripts will help you detect all rules and forms for some clients. Microsoft created one for Office 365 and SensePost created NotRuler, to do the same.

It’s not as efficient as anyone would like, as these scripts simply tell you what custom rules and forms are installed and not which ones are malicious. It’s all we have. So, add inventorying email rules, forms, filters, add-ins, etc. to your computer security check lists. Also, find out from your anti-malware vendor what they do, or can do, to help detect rogue email functionality. Anything they can do to help make your job in this area a little easier is welcomed.

Go fight the good fight!

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!