These hidden rules remain functional, but are no longer visible in popular email clients and Exchange administration tools (on-premise and Office365 environments). In this article, we present an undocumented method that can be used to hide such inbox rules. In fact, they often represent valuable indicators of compromise that can be used to identify other compromised accounts. Once a compromised account is detected, such malicious inbox rules are typically easy to spot and remove. The attacker’s goal hereby was to guarantee access to emails even after the compromised credentials were changed. As one of the first steps after having obtained the credentials (most commonly through phishing), attackers created malicious inbox rules to copy in- and outgoing emails of their victim. In recent investigations, Compass recognized a raise in popularity for attackers to compromise Microsoft Exchange credentials.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |