editione1.0.0
Updated October 9, 2023While you are deep in the administrative settings of your mailboxes, there is a setting you need to turn off. Automatic forwarding allows any user to set up a rule where all mail is forwarded on to someone else. It probably seems harmless, such as automatic forwarding of emails for ex-employees to a current employee’s inbox. However, let me reframe how this setting is misused.
When an attacker successfully gets their hands on a pair of valid login credentials for an email, often the first thing they will do is try to “maintain access.” They want you to continue to use the inbox, not suspecting anything, while they wait for the best moment to strike. A common setup for maintaining access looks like this:
Setting up automatic forwarding to a different inbox, usually a throw-away one where they can see copies of emails that are forwarded. All incoming and outgoing mail sent will also send a copy out to this mailbox.
Once they see a message come in (such as one asking for bank account or PayPal details) or see a message going out (such as an invoice with payment details), the attacker will log back into the stolen account.
They will reply back or follow-up on the email with “new payment details,” saying they forgot they changed banks or accounts.
They then set up rules so all replies on that email thread are deleted after they are forwarded. That way the poor mailbox owner is none the wiser that they are not going to actually get the money they expect.
These attacks happen very often, and can be particularly damaging to small businesses because one or two big payments paid to the wrong person can put you out of business. In most cases, the money can’t be reversed and you get stuck in a legal battle.
Automatic email forwarding is a setting that you, as a small business, will rarely have to use.
danger We recommend you search through the administrative settings for “automatic forwarding” and disable it for everyone. This setting is misused so often that large providers make it easy for you as an administrator to turn it off for everyone. It will serve you better to turn this off entirely, and find alternative ways for those one or two use cases where you need to forward emails on.
The last setting to turn on in the administrative settings is alerting. This is the one setting you shouldn’t overdo. It can be easy to turn on “all alerting,” then later hit a point called “alert fatigue.” This is similar to the little kid who cried wolf one too many times, so when there was a real problem no one reacted.
The best way to not overdo alerting is to turn it on for events that you need to respond to (or higher-risk events). If your business grows, you might have people who are responsible for reading through alerts that just need to be “watched closely” (or lower-risk events), but for now we need to make the best of the resources we have. These high-risk events won’t happen often, so when you do get a notification, you know you need to act now.
important Here are a few high-risk security alerts that would cause you to sit up and take action, and what you can do when they happen: