Hide Artifacts: Email Hiding Rules

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.[1][2][3][4]

Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. [5]

ID: T1564.008
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Office 365, Windows, macOS
Permissions Required: User
Contributors: Dor Edry, Microsoft
Version: 1.0
Created: 07 June 2021
Last Modified: 16 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0085 FIN4

FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as "hacked," "phish," and "malware" in a likely attempt to prevent organizations from communicating about their activities.[6]

Mitigations

ID Mitigation Description
M1047 Audit

Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis.

In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious inbox rules.[7]

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Modification

Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.

On Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.[8] On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.[2]

References