Malicious ‘Outlook Rules’ Exploit Forwards Your Emails to Attacker

A difficult to detect phishing attack is catching Outlook users off guard, as it uses the built in Rules feature to forward emails to an attackers third party mailbox.

In most cases the rules are configured to detect keywords related to finance, such as “Payment”, “Invoice” or “Bank”.

Attack Delivery

The malicious Outlook rules are created using traditional email phishing methods.  The target will receive and email apparently from an existing contact or organisation known to them.

A link in the phishing email takes the user to a fake Office 365 login page and requests the user’s credentials.

When they have been entered the log-in fails, but the attackers can the install an Email Forwarding rule in to the target’s Outlook rules.

Guard Against Malicious Outlook Rules Attack

The usual phishing guards will protect against this type of attack including:

  • Raising Awareness of Phishing Techniques.
  • Updating your Malware Protection.
  • Implementing Spam and Reputation Filtering.
  • Implementing a Blacklist/Whitelist.

You can also ask users to check their Outlook Rules Regularly to ensure they understand how Outlook is behaving.

Look for multiple failed log-in attempts or log-ins from new devices which could be symptomatic of a compromised user account.

Users should be encouraged to report suspicious activity to the relevant person in your organisation to help you manage an attack before the consequences escalate.

Managing a Malicious Outlook Rules Attack

Once the rule is installed its incredibly difficult to detect. Some victims report a MAILBOX FULL message being received from the attacker’s fake mail box as the first warning sign.

The best defence is prevention as discussed above, but if you have been hit, establish the date range of the attack, and investigate the content of messages that could have been compromised.

Contact interested parties, including your bank, to help prevent malicious payments being made.  Likewise, contact customers who may have been contacted by the attackers with different payment details.

You should also contact any customers, suppliers or other contacts who may also have been targeted by the attackers fishing scam.

If you discover a large amount of Personal Data has been compromised, or sensitive personal data that could affect the Rights and Freedoms of the Individual, you may also need to report a Data Breach to the ICO (Information Commissioner’s Office).

More Information

At Assent we can help you manage Information Security and Cyber Risks through ISO management systems, such as ISO 27001, and supporting services including Test Phishing Campaigns. Contact Us for more information.

Microsoft have produced the following guidance to help 365 users.

Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365:

Lauren Tobin
Lauren Tobin
Articles: 57