The US FBI released a Private Industry Notification (PIN) last week claiming that cybercriminals are exploiting email forwarding rules to maintain anonymity and hide their presence on hacked email accounts. The PIN was made public yesterday and contains valuable information about how the technique is being actively used in recent business email compromise (BEC) attacks this year. The tactic relied on a feature in certain email services called auto-forwarding email rules. This allows the owner of an email address to create rules for forwarding emails to different addresses.
This makes it easy for threat actors to monitor accounts as they change the auto-forwarding rules to include copies of all incoming emails, sent to an address controlled by the attacker. This allows them to go undetected and eliminates the issue of having to log into a compromised account each day and risk triggering a security warning. Both nation-state hacking groups and cybercrime operators have been abusing auto-forwarding rules for years, however, the FBI report highlights a recent spike in the technique.