Malicious Email Rules Forwards Your Emails to Scammers
Recently, when replying to a client’s email, I received an email undeliverable response saying that their mailbox was full. However, upon closer review, the email address mentioned didn’t belong to my client. I called the client to see if he received my reply. He said “yes.” I then asked him if he was familiar with the email address listed on the undeliverable response, to which he said “no.”
From this we knew his email address was compromised, but how?
We checked the obvious areas first:
- Malware on his device – nope – he uses a MacBook
- Email forwarding activated in his Outlook account – nope – not activated
- Sign-in history – all looked good, nothing suspicious
- Change the email account password
After changing the email account password, I sent the client another email. Sure enough, I received the same undeliverable email from the unknown email account.
Further review of the undeliverable email led me to suspect that since email forwarding was not the problem, perhaps there was an email rule activated.
I had the client, once again, go to Outlook settings and check for “rules.”
Two rules were listed.
The first one related to a company he previously corresponded with by email. The second rule had a similar name as the first rule; however, this rule was set to send all received email to another email address, the same email address listed in the undeliverable reply I received.
BINGO, that’s it!
I had the client terminate, delete, both rules. Once there were terminated, I sent the client another email. This time, I didn’t receive the undeliverable email reply. That meant his emails were no longer being sent to an unknown email address. But how were the rules added to his Outlook email account?
Since the rules were associated with a business, he called them and asked if they were aware of any email or network issues. They said that last year they DID have an issue. They were infected by one of their suppliers. Was this the source of the client’s email compromise? Maybe, maybe not.
WHAT ARE EMAIL RULES
Email rules are based on if-then conditions. If this happens, then do this.
Here are a few examples:
If email is received from ABC, move it to the Important folder
If an email is received, send it to abc@123 dot com
If email is received from ABC, send a copy to abc@123 dot com
Rules are tools to help manage an inbox. But, as in this case, rules were used by criminals to receive a copy of the email’s received by the victim.
HOW DID THIS HAPPEN
There are a few ways that criminals can add rules to your email account.
- Clicking on a link in a phishing email
- Opening an attachment in a phishing email
Most of the time the email comes from an existing contact, or an organization known to you. When you click on the link or try to open the attachment it may appear that link doesn’t do anything. However, it takes you to a fake Outlook or Gmail login page and requests your account credentials. When the credentials are entered, the login fails but the scammers are able to install the email forwarding rule in the email account. There are different versions of this. Some of the emails may pretend to be from the email service, like Outlook or Gmail, saying a password change was initiated on your account and if you didn’t do it, you are supposed to click the link. Others may claim to be Amazon confirming an expensive purchase. All the emails are designed to get you to click the link and enter your email account login credentials.
STEALTHINESS IS DANGEROUS
The dangerous part of this scam is that it could go undetected for years. Or, as in this case, until the fake email box became full, triggering the undeliverable response. Without receiving that reply, the email rule could have remained undetected.
Since we don’t know how long the email rule was in place, it’s hard to determine what information the scammer received in the forwarded emails.
HOW TO CHECK FOR THIS SCAM
Running an antivirus scan would NOT detect an email rule change. To see if you too are a victim, log in to your email provider and check for email rules.
For example, in Outlook, go to settings, click on mail, then click on rules. There you will see a list of rules activated on your email account. While you are in settings you could also check to see if mail forwarding was activated. Also, if available, check the sign-on activity and look for anything suspicious.
HOW TO REMOVE MALICIOUS RULES
Removing, or terminating the rules, vary by email provider. A quick search of the internet, or use the help feature in your email provider, should provide you with step-by-step instructions.
SUMMARY
In this case, avoid clicking on links or opening attachments in unexpected emails. It’s also a good idea to check your email rules regularly. Learn how your email behaves so you are able to identify suspicious activity.
As with text messaging, sensitive information should never be sent by email. When sending sensitive information consider using an encrypted messaging service like Signal. NOTE: Signal is a non-profit organization that does not offer affiliate marketing. This means we do NOT receive compensation for recommending this product. We recommend it because we use and trust it.
