If a cyber criminal somehow got your login credentials and was living in your email system right this minute, would you know?
This is called Business Email Compromise (BEC) and the damage it causes to companies globally dwarfs ransomware – by 60 to 80 times, according to various sources including the FBI.
What is the bad guy doing during a BEC breach? He’s watching and learning.
Once he understands how money flows within your organization, he’ll start making internal requests to send payments or external invoice demands to your vendors or clients – with the wrong banking instructions that send any payments to his account, of course.
The scam operates without your knowledge because the hacker creates email rules that route all replies to a new, hidden email folder you don’t know about. The messages are actually coming from your email account, but they are invisible to you because he also deletes the sent messages immediately.
So, how can you know if a bad guy is doing this within your organization?
Forwarding Rule Creation Alerts
There are so many layers to proper cybersecurity it can often be difficult for businesses to keep up, but here’s some good news: your Microsoft 365 account comes equipped with several ways to help protect your organization from cyber-attacks.
Here’s the bad news: these features are not enabled by default – they must be set up properly by someone who knows how they work.
For new KaufmanIT clients, we enact a 15-step process which more deeply protects your entire Microsoft environment that we refer to as a “365 Security Hardening.”
One step in the process is the creation of an alert that immediately notifies us anytime an email forwarding rule is created because this tactic is so often used by hackers.
Smaller businesses could try creating such alerts themselves. That said, keep in mind that false positives will occur because employees sometimes create forwarding rules to better manage their inboxes.
Thus, here are just a few things to keep in mind when creating filters and reviewing such alerts:
- Was the forwarding rule based on keywords such as “credentials”, “finance,” “payments” or similarly privileged sounding information?
- Does the new rule forward messages to an outside email address?
- Did the login that preceded the creation of the rule look normal or suspicious?
As you can see, the idea of creating email forwarding rules is simple but the execution is tougher. It is best left to an experienced cyber expert to establish, then to an IT team with the time to monitor ongoing alerts and to sort out real threats versus false positives.
For those interested in more details, here is a help page from Microsoft with useful information.
Regardless, whether you employ an IT Manager, retain an MSP like KaufmanIT or work with a one-man, outside “IT guy,” you’re now armed with a simple question to gauge the security of your 365 environment:
“Have we set up alerts that let us know when email forwarding rules have been created?”
To be clear, this is just one useful question to ask; a thoughtful response does not necessarily mean your entire cybersecurity posture is secure.
Think of this question instead as one useful “tell”: if the answer is anything other than clear and concise, you should be worried – and not only because your company may be missing this particular security layer.
If this foundational setting hasn’t been properly established, it is a strong indicator you probably have security gaps in other layers of your 365 environment that are even more important.
For those who fall short, we’re happy to help.
Businesses and/or their IT leaders who want to learn about all fifteen elements of our 365 Security Hardening can contact us anytime for details.
