Security operations · 6 MIN READ · PETER MICHALSKI · JAN 16, 2024 · TAGS: MDR
Inbox rules are used for legitimate and malicious reasons alike. Here are some actual case exercises, tips, and tricks on how to analyze using rule conditions alone.
Inbox rules help users manage and organize emails. (For those unfamiliar with Outlook inbox rules, I highly recommend Brandon Dossantos’s recent post, which outlined what they are, explained how attackers can abuse them, and offered some helpful detection ideas.) They’re also a great way for attackers to keep users in the dark by automatically hiding or deleting emails. When triaging a suspicious Outlook rule alert, it’s important to keep in mind the intent and purpose of the rule. A legitimate rule will make logical sense and help real users manage their inboxes. What does this look like?
- Logical association between the rule name, emails meeting the condition(s), and action(s) taken on them.
- The name of the rule will be descriptive or have meaning (at least to the user).
- Important sounding emails won’t be “hidden” (marked as read, deleted, and/or moved to an unrelated folder).
Malicious inbox rules with clever names or conditions ultimately don’t make sense when evaluated holistically, and have illogical associations that can help you determine that they’re malicious. Attackers can operate from any IP address, regardless of reputation or association, and use any account they manage to compromise a user, regardless of role or location.
To strengthen triage muscles (gut reaction, if you will), we put together a short exercise using actual suspicious Outlook rule alerts and asked analysts to determine if the conditions of the rule were benign or malicious without any additional context or investigative data and to then talk through each.
Suspicious rules exercise
Here are some examples of real Outlook rules we alerted on and investigated (with identify information replaced with contextually relevant substitutes)
1: rule details
- MoveToFolder = RSS Subscriptions
- Name = Updated Banking Information
- SubjectOrBodyContainsWords = Updated Banking Information;Banking
- MarkAsRead = True
While the name of the rule is descriptive, there’s no logical reason for banking emails to go into the RSS Subscriptions folder. RSS subscriptions are a way for users to get notifications from sites with frequent content updates, mainly media, such as blogs, news outlets, and podcasts. Banking information is also important, and a user wouldn’t mark it as read automatically. Verdict: Malicious.
2: rule details
- MoveToFolder = Deleted Items
- Name = ,
- FromAddressContainsWords = @example-financial.com
- MarkAsRead = True
The rule name has no meaning, and the affected emails are from a domain related to financials. Emails are being moved to Deleted Items and marked as read. Odd behavior for important-sounding emails. Verdict: Malicious.
3: rule details
- From = SHIFTMANAGER@EXAMPLE.COM
- RecievedBeforeDate = 1/6/2022 2:31:18 PM
- Name = Accurate Lead Schedule
- DeleteMessage = True
Old messages (BeforeDate condition) are being deleted. The name of the alert and the sender are consistent. It’s logical to expect a regular amount of messages related to scheduling and these being removed. Verdict: Benign.
4: rule details
- From = noreply@example.com
- Name = For all messages from Example Email Security
- DeleteMessage = True
The rule name is descriptive, but also indicates “Email Security.” These could be important and are being deleted. The rule specifies a “noreply” address, which is unmonitored, and likely includes a variety of other automated emails. Because there are no additional conditions and the specified emails are likely automated, this appears more in line with legitimate inbox management. If the sender were more specific, that would be a cause for greater concern. Verdict: Benign.
5: rule details
- From = JaneDoe@example.com
- MovetoFolder = Conversation History
- Name = stp
- SubjectOrBodyContainsWords = payroll
The rule name is odd but could be an acronym. The rule specifies a single sender and includes the word “payroll,” which is important. While not being marked as read or deleted, emails are being moved to a generic folder, “Conversation History,” which has no clear relation. At a glance this may appear legitimate, but why move such specific emails to a generic folder with a nondescript rule name? It’s more logical to expect a user to name the rule something specific for payroll emails. If the user wanted emails from this sender to go into the “Conversation History” folder, why limit it to payroll emails? Why not all emails from the address if the intent is to track a conversation with the sender, or move it to a “Payroll Conversation History” folder. This illogical jump should raise alarms. Verdict: Malicious.
6: rule details
- MoveToFolder = ISO
- Name = ISO
- SubjectOrBodyContainsWords = ISO
The rule name is short and odd. The targeted emails don’t obviously appear important—it’s hard to tell with only three letters, which possibly mean something to the end user. However, the rule name, destination folder, and email criteria all appear consistent. Verdict: Benign.
7: rule details
- From = admin@unknownexample.com
- MoveToFolder = Junk Email
- Name = For all messages from John Doe
- DeleteMessage = True
- MarkAsRead = True
The rule name is descriptive, but doesn’t appear consistent with the sender. The sender contains “admin,” which could indicate a shared account, and may be important. However, the domain of the sender had no obvious associations, and had few results when searched online. The emails are not only being marked as read and deleted, but also moved to the Junk folder. Overall, this rule is odd, has mixed signals, and needs further investigating. To make a decision without more investigation, the deciding indicators are the lack of public information on the sender domain (likely spam), and the user also moving the emails to the Junk folder. Verdict: Benign.
8: rule details
- Name = ….
- DeleteMessage = True
- MarkAsRead = True
This rule has no specific conditions, which means it’s targeting all emails to delete and mark as read. The rule name is also bizarre. None of this makes sense for normal inbox management. Verdict: Malicious.
9: rule details
- From = janedoe@examplefood.com;johndoe@examplefood.com
- MoveToFolder = Example Food
- Name = Example Food Invoices
The rule name is descriptive and consistent with the conditions of the emails. Emails are being moved to a custom-named folder that makes sense for the emails. The targeted emails appear important, related to invoices, and are being actioned appropriately for inbox management. Verdict: Benign.
10: rule details
- Name = .
- SubjectOrBodyContainsWords = RE: November 2021: Example Minerals Updates you need to know!
- DeleteMessage = True
- MarkAsRead = True
The rule name is a red flag. The targeted emails don’t appear important though, and are possibly spam-related. If you think about the prefix in the subject—“RE:”—this rule is targeting “reply” emails for messages the user sent out. Why would they be marking emails as read and deleting all the reply emails for something they sent out? This rule is for mass phishing emails sent and the attacker is trying to hide them from the user. Verdict: Malicious.
11: rule details
- From = JohnDoe@ExampleInsurace.com
- MoveToFolder = Archive
- Name = VB
- SubjectOrBodyContainsWords = Assistance Required
The rule name is short and odd, maybe an acronym. It specifies a single sender related to insurance, for emails containing “Assistance Required,” which sounds important. Although the emails are not being marked as read or deleted, they are being moved to the “Archive” folder. Why would “Assistance Required” emails from an insurance company be archived? It’s reasonable to expect these to be marked as important or moved to a more relevant folder. If these emails are safe to archive, why not mark them as read as well? Verdict: Malicious.
Points to keep in mind (and possible exceptions)
- Analysts should use all the data and tools at their disposal to make an accurate determination. The idea of this exercise is to train your gut (intuition)—it isn’t a replacement for fully investigating.
- This also means making best use of both automation and human expertise. There are things machines are great at—crunching massive amounts of data, for example. There are also things they can’t do, like critical thinking, and this is where the human factor comes into play. The human/machine partnership is something that strengthens our offerings.
- If no conditions are specified, the rule applies to all emails.
- Short letter rule names may be common for an acronym or abbreviation.
- The name of the rule is usually a strong indicator. If it isn’t helpful, focus on the logical association between the rule name, emails meeting the condition(s), and action(s) taken on them.
- Generally speaking, moving items to default Outlook folders (Archive, RSS Subscriptions, etc.) is more odd than user created ones (with the exception of the Junk folder).
There are cases where the inbox rules conditions are vague enough that further investigation is needed. Details such as the IP reputation and prevalence plus the user’s recent activity should be used to help determine the nature of the activity. Open source intelligence is also a great way to get a sense of importance if the senders, domains, and/or conditions are unfamiliar.
When attackers begin to make malicious inbox rules, analysts need to act fast. It’s likely at this point the attackers have been accessing the account for some time and have begun to insert themselves into conversations (or maybe they’re sending out internal phishing emails).
Analysts can improve their skills and gut reaction through practice breaking down and analyzing the rule’s conditions to make sure the contents are consistent with the intent.
If you have questions or comments, please drop us a line.