Question:

We’ve confirmed that there are no active RSS feed subscriptions, and we suspect that the perpetrators have manipulated settings to divert critical emails, such as password resets and two-factor authentication prompts, to prevent detection. The breach has already extended to the executive’s banking information, which was fortunately noticed due to a direct phone call from the bank.

As an Exchange administrator, I’m seeking a method to access and modify these cloud-based mail sorting rules on a per-user basis to resolve this issue. However, I’m unable to find any documentation on how to do this. Could you provide guidance on how to revert these changes, or share insights on how this type of cyber attack is typically executed?”

Answer:

In the realm of cybersecurity, email systems are often targeted due to their integral role in communication and identity verification processes. A particularly insidious method of attack involves the redirection of critical emails, such as password resets and two-factor authentication prompts, to obscure folders like RSS Subscription folders. This tactic is designed to evade detection and maintain unauthorized access to sensitive information.

The scenario described suggests that an attacker has gained access to an executive’s email account and created a rule that redirects incoming emails to the RSS Subscription folder. This is a clever way to hide malicious activity because it allows the attacker to intercept sensitive emails without raising immediate suspicion.

Resolving the Issue:

As an Exchange administrator, you have the ability to access and modify mail flow rules, which can include rules created by attackers. To address this issue, you should:

1.

Access the Exchange Admin Center (EAC):

Navigate to the EAC and sign in with your administrator credentials.

2.

Locate Mail Flow Rules:

In the EAC, go to ‘Mail flow’ and then ‘Rules’.

3.

Identify Unauthorized Rules:

Look for any rules that redirect emails to the RSS Subscription folder or any other unusual location.

4.

Modify or Delete the Rule:

If you find a suspicious rule, you can modify it to stop the redirection or delete it entirely.

5.

Audit Other Settings:

Ensure that no other unauthorized rules or settings have been created by the attacker.

6.

Monitor for Further Activity:

After resolving the issue, monitor the account for any further signs of unauthorized activity.

Preventing Future Attacks:

To prevent such attacks from occurring in the future, consider implementing the following measures:

–

Multi-Factor Authentication (MFA):

Enforce MFA to add an extra layer of security for user accounts.

–

Regular Audits:

Conduct regular audits of mail flow rules and account settings.

–

User Education:

Educate users on recognizing phishing attempts and securing their accounts.

–

Security Solutions:

Deploy advanced security solutions that can detect and prevent unauthorized changes to mail flow rules.

Understanding the Attack Vector:

This type of attack is often initiated through phishing, where attackers deceive users into providing their login credentials. Once they have access to an account, they can create rules to control the flow of emails and access sensitive information. The key to prevention is vigilance, education, and robust security protocols.

In conclusion, by taking immediate action to identify and remove unauthorized mail flow rules and by implementing preventative measures, you can safeguard your organization’s email system against such cyber threats.