Email systems are the beating heart of modern businesses, enabling communication within and outside the organization. With 94% of cyber attacks starting with email, it’s clear that cybercriminals know how to bypass conventional email security tools. This blog post provides a deep dive into how hackers leverage the basic mailbox feature of “subfolders” to infiltrate companies’ networks and explore practical remediation strategies to help businesses stay protected.

When Rules Fall Into the Wrong Hands

Rules are used as an effective way to organize and better control large amounts of incoming traffic. Rules can be used to forward certain incoming email messages to specific folders or destinations (email addresses), to delete messages or even to send a reply automatically.  The problem starts when cybercriminal gets control of individual mailbox and create rules with malicious intents. It translates into rules that send messages with sensitive information to an external server, delete messages with valuable information,opening an attachment,  executing an application, launching EXE, URL, or ZIP file, accessing a remote URL to download a file, and even format the critical information to tamper with forensic investigations.

The Hidden Threats of Mail Rules

Once rules are implemented, the attacker takes root in the system. By appropriate persistent access even if the IT administrator changes the user’s password or applies MFA enforcement or even changes the entire workstation, as long as the rule exists, the exploit remains active and influential. According to an FBI public release, In the US alone, compromised cloud-based Business emails suffered from damage cost of over $2B in USD: “Often, the actors configure the mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.”

Who Rules the Rules?

To effectively address the issue of foreign rules in the mail, Microsoft suggests a practical solution in one of their M365 learning blogs. They recommend using a PowerShell script called the O365 Investigation tool (or Get-AllTenantRulesAndForms.ps1). This script automates the process of retrieving all mail forwarding rules and custom forms for all users in the domain. According to Microsoft, this method is both time-efficient and safe for obtaining initial feedback.

To utilize the PowerShell script, it’s important to note that Global Administrator permissions are required. If the presence of a foreign rule is identified, the fix a fairly easy – it involves deleting the rule from the mailbox using Outlook client Exchange PowerShell.

It is up to the administrator’s responsibility to ensure no rules with funny business exist on both the client’s end as well as the server’s side.

Beyond The Great Inbox

Conventional email systems will normally arrive with default folders such as inbox, sent items, drafts, deleted items, and junk email. However, with 160 average emails transmitted in and out of a business account per day, most users rely on subdirectories (or subfolders) to manage their inboxes. While subfolders are a common practice, an infamous misconception is that email security tools scan every incoming message arriving at the user’s account -while many of those solutions analyze only traffic arriving at the inbox folder. In other words, any message that for any reason (i.e. rule) redirects to a different subfolder other than inbox practically “waives” its security checkup.

Regardless if the subfolders that were created by rules were configured by users, administrators, or hackers (via Exchange Online’s properties, MAPI Editor, Microsoft Graph, and M365) the outcome is the same; incoming traffic may bypass the security tools.

Note that in general, users are not aware of having existing rules that were configured on the server side by the administrator (or hackers).

One CDR to Rule Them All: FileWall for Microsoft 365

Regardless of the complexity of users’ configured email security rules or the sophistication employed by hackers using tools like MAPI Editor, FileWall is the ultimate solution for safeguarding your organizational network against hidden malware threats. With seamless integration and comprehensive support for Microsoft 365 business applications, including Exchange Online,  FileWall diligently examines the binary structure of commonly used files across any subfolder, visible and hidden alike. FileWall performs deep scanning on any hierarchy of folders and subfolders structure. Once scanning all directories, FileWall performs deep file analysis of the attachments,  neutralizing potential malicious code embedded in them.  To try FileWall for free sign up here.