A newer attack style that is being used (and one we have personal experience with resolving) is the manipulation of email forwarding rules.
Email forwarding rules are rules that are set up in your inbox to forward a message to another mailbox as soon as it arrives.
The danger for the email owner is that these rules can also clean up after themselves by deleting the message, preventing a copy of the forward from showing in the “Sent Items” folder, and deleting the message from the “Deleted Items” folder.
If a hacker takes advantage of this, then all your email will be sent to and read by someone you do not even know.
Think about the items in your inbox, especially the ones that are sensitive and/or confidential. Can you risk there being a period of time where your messages are being forwarded without your knowledge?
Also, as the hackers are good at cleaning up and hiding their tracks, you need someone with the experience and expertise to resolve this for you if it does occur.
One of the big dangers with this attack style is that changing your password or adding two-factor authentication will not stop the current breach once the rule is in place.
Forwards will continue to be sent because the rule is not password dependent. It’s the same with two-factor authentication; if you enable this after the rule is in place, it will not do you any good.
There are steps that can be taken to prevent these types of attacks, however most of them are not settings that an end user would be familiar with.
It’s important to not allow forwarding to occur to email addresses outside of your domain, and relatedly, it’s a good idea to allow the full sync of settings between the web client and the local desktop client.
For example, Office 365 by default will not sync these settings, so if someone gains access to your email and creates a forward on the web page, you and your IT department will not see it if they look in your Outlook client on your local computer.
These rules can be hidden if the hacker knows what they are doing. This means a quick open-and-check-if-a-rule-exists is not sufficient. Steps need to be taken to make sure there are no rules, not just a lack of visible rules.
Checking for these rules if there is a suspected breach is critical because of another potential problem: if you do a password reset on another account that you are concerned about (for example, your bank because you use the same password), that email with details gets forwarded to the hacker and they may be able to gain access to that account.
Hackers will continue to evolve as they need to. As this exploit is discovered and procedures are put in place to mitigate their effect, the next exploit will be used and the cycle will start again. Having a partner to help you navigate through all these potential issues is essential.
Being aware of these exploits, watching for new ones, and making necessary changes to keep your business safe is a big part of what Tech Experts does.
Handling these concerns is part of our core business, giving you the peace of mind to handle your core business.