Beware rogue email rules and forms

Creating malicious rules and forms in a compromised email client is an old but effective hacker trick that evades traditional antimalware software. Here’s how to make sure you can detect it.

Most rich email clients (Outlook, Apple, Office 365, Gmail or Mozilla Thunderbird) allow users and developers to automate tasks based on incoming or outgoing emails. Actions allowed by some of the email clients are far more sophisticated than others, although almost all email clients allow automatic email forwarding or blocking/deleting future incoming emails based on something in the targeted email. The most functional clients allow any action or coding to be performed that the computer is programmatically capable of.

For example, in Microsoft Outlook, I can tell an incoming email from a particular email address or containing a particular keyword to kick off another program or script (see below):

grimes rules 1 Roger Grimes

Microsoft Outlook Rules Wizard

Outlook on Microsoft Windows is a target-rich environment for hackers, but they can do the same thing to Apple OS X and Linux computers depending on the email client.

For over a decade, hackers have routinely broken into people’s computers (or email clients) and set up malicious rules. These rules forward incoming email to the hacker, block certain types of emails (such as legitimate warnings and confirmations), replace legitimate information on-the-fly, and other dastardly actions. They can create a rule that says to format the device’s hard drive to cover up their tracks if needed in an emergency. In most cases the user doesn’t even have to open up the email; it only needs to arrive in the user’s inbox to activate the rule.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!