1. Home
  2. Techniques
  3. Enterprise
  4. Hide Artifacts
  5. Email Hiding Rules

Hide Artifacts: Email Hiding Rules

ID Name
T1564.001 Hidden Files and Directories
T1564.002 Hidden Users
T1564.003 Hidden Window
T1564.004 NTFS File Attributes
T1564.005 Hidden File System
T1564.006 Run Virtual Instance
T1564.007 VBA Stomping
T1564.008 Email Hiding Rules
T1564.009 Resource Forking
T1564.010 Process Argument Spoofing
T1564.011 Ignore Process Interrupts
T1564.012 File/Path Exclusions

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.[1][2][3][4]

Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. [5]

In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.[6] Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).

ID: T1564.008
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Office Suite, Windows, macOS
Contributors: Dor Edry, Microsoft; Liran Ravich, CardinalOps
Version: 1.4
Created: 07 June 2021
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0085 FIN4

FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as "hacked," "phish," and "malware" in a likely attempt to prevent organizations from communicating about their activities.[7]
G1015 Scattered Spider

Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.[8]

Mitigations

ID Mitigation Description
M1047 Audit

Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis.

In an Exchange environment, Administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious inbox and transport rules.[9][10]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries. In environments using Exchange, monitor logs for the creation or modification of mail transport rules.
DS0017 Command Command Execution

On Windows and Exchange systems, monitor for creation or modification of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.[11][10][12]
DS0022 File File Modification

On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.[2]

References

  1. Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.
  2. Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.
  3. Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.
  4. Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.
  5. Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.
  6. Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.
  1. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  3. Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021.
  4. Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023.
  5. Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.
  6. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.