Note: If you are using Microsoft Outlook 2007, please click the Tools > Rules and Alerts. Step 2: Click the Rules > Manage Rules & Alerts on the Home tab. Step 1: Shift to the Mail view, and open the mail folder that you will filter cc or bcc emails from.In this post, we explain 4 most common reasons why your Outlook is receiving duplicate emails: PROBLEM: email rules create duplicates.Outlook's Rules and Search functions can't search by times. Fortunately, the solution to this problem sometimes can be really easy. Issue duplicate emails in your Sent Items folder of Outlook 2016 for Mac.If you are using Outlook for some time, sooner or later you will get duplicate emails. The attacker’s goal hereby was to guarantee access to emails even after the compromised credentials were changed.But the message is simpler this time, sending Outlook users official looking. As one of the first steps after having obtained the credentials (most commonly through phishing), attackers created malicious inbox rules to copy in- and outgoing emails of their victim. In recent investigations, Compass recognized a raise in popularity for attackers to compromise Microsoft Exchange credentials.
However, similar methods might exist and could be used by cyber criminals.In case of a compromised Exchange account, changing credentials might not be enough to stop the leakage of sensitive information. The described method comes from our own research and has so far not been observed in the wild. These hidden rules remain functional, but are no longer visible in popular email clients and Exchange administration tools (on-premise and Office365 environments). In fact, they often represent valuable indicators of compromise that can be used to identify other compromised accounts.In this article, we present an undocumented method that can be used to hide such inbox rules. However, you can use VBA to 'do something' messages that fall within a certain time period.Once a compromised account is detected, such malicious inbox rules are typically easy to spot and remove. Free usb data recovery for macStep 4 has therefore been reported to Microsoft’s Security Response Center. The described method for hiding inbox rules, was – to the best of our knowledge – so far undocumented. AttackThe attack consists of the following 5 steps:The main focus of this article lies on step 4. An in-depth forensic investigation might be required. Note however that rules with other actions, such as deleting selected messages before being read by the victims, would not be tracked by “Message Tracking”. The logs will include an entry for each forwarded message. For example, the following rule could copy all incoming emails and forward them to an attacker-controlled address.Showing the “IncludeHidden” flag of the Get-InboxRule cmdlet Exchange Compliance FeaturesEvidence of hidden forwarding rules, transferring messages to other mailboxes, might be found in the “Message Tracking” compliance features of Exchange (enabled by default). Step-by-StepWe assume that an attacker successfully completed steps 1 and 2, meaning that she has opened the victim’s mailbox in Outlook.As a next step, the attacker uses Outlook’s wizard to create a rule on the victim’s inbox. This however removes all the rules on the corresponding mailbox (not only the hidden ones).Unfortunately, both these methods are not easily applicable corporation-wide (but only on individual mailboxes). Alternatively, you can run Outlook with the “/cleanrules” flag. EradicationThe best way to remove hidden inbox rules is again through a MAPI editor such as “MFCMapi”. The tool allows us to get raw access to the underlaying storage database and to list corrupted or suspicious rules. Changing a victim’s credentials and looking for existing inbox rules by your Exchange administrator might not be sufficient for the detection of such rules. The precondition to this is that an attacker has access to the victim’s mailbox. ConclusionIn this article, we described a method for creating Exchange inbox rules that are not shown by Outlook/OWA and the Exchange Management Shell. Join us for the talk, or visit our booth and play a round of darts to win some beers. We will have a talk were we further elaborate on the topic of hidden inbox rules. Swiss Cyber Storm 2018Compass Security is a Silver Sponsor at this year’s Swiss Cyber Storm security conference.
0 Comments
Leave a Reply. |
AuthorTom ArchivesCategories |