Guide to triaging a potentially malicious mail rule
Attackers often use malicious mail rules to retain access to sensitive email once they have successfully phished an employee, you can find more details in our blog post, How hackers use mail rules to access your inbox.
If you're not sure whether a mail rule is a potential indicator of a compromised employee account, start with these steps:
Ask the user: First, just ask the user. If they are confident they set up the rule, it is unlikely to be attacker activity. Although you may consider the rule a breach of policy, it is not an incident. If the user is unsure, or confident they did not set up the rule, it's safer to assume this is attacker activity. Follow these steps for Microsoft 365 or these for Google Workspace. If you're unable to ask the user, try the next two steps.
Inspect the rule conditions: Typically, attackers will create rules to forward all mail, or mail with specific keywords, such as "invoice" or "payment." Often, these attacks are not targeted to your organization and keywords may be generic, however, try to consider the user's role and what kind of information they have access to that might match the conditions specified.
Inspect the rule actions: Does the rule forward mail to an address that is not clearly linked to the user mailbox address? For example, a rule for firstname.lastname@example.org that forwards certain mail to email@example.com is more likely to be legitimate. It is possible for a determined attacker to set up a mailbox that looks like it should pass this test, so this detail alone is not a deciding factor but, combined with inspecting the conditions, you should be able to figure out if this is a legitimate rule.
If you're not sure, you should assume it is malicious until you are able to prove otherwise.
Preparing your incident response internally
If you will be dealing with this incident internally, refer to our response guides:
You should also ensure that you and your team has sufficient privileges to complete the steps in the guide.
When responding to a suspected account compromise, we recommend four response steps:
Damage limitation: take some quick steps to minimize damage.
Understand the root cause: how was this account compromised?
Check if other users are compromised: is this account the only one affected?
Recovery: once we understand how the attack happened, and how widespread it is, we can comprehensively rebuild and clean up.
Although you may be tempted to jump to step 4, we need to understand how the attack happened and how widespread it is to sufficiently recover.
Using an external incident response service
If you plan to use an external incident response service, you will likely have less preparation to do internally. However, you should ensure that:
Everyone who may receive malicious mail rule alerts understands when and how to initiate incident response.
Suspected account compromise is covered in playbooks with your incident response provider, and make sure everyone in your team understands the details of the plan and the role they play.
Your incident response service may recommend response steps that are different, or in a different order, to those in this guide. Always follow your incident response service's guidance. A big benefit of an incident response service is they are able to adapt their response to your context and do what is best for you, your organization, and your scenario.