Most Microsoft 365 users aren’t aware of this recently growing serious email threat vector.
I have been teaching about the risks of Microsoft email rules, forms and connectors on email clients and servers for decades. Both can be created by an attacker learning your email address and logon credentials (e.g., password or MFA codes).
They are particularly dangerous because they are easy for an attacker to remotely set up, hard for the user or admin to proactively detect (usually there are no outward visible signs and no events in the event logs), and remain in place even if you change your logon credentials and use a brand new computer and client install. I have seen victims remain victims well past when they thought they had eradicated the threat. If you don’t know what is going on, it seems the attacker has some magical ability to regain access at will, but it’s really just a rogue rule, form or connector.
With Microsoft Outlook rules and forms, an attacker can modify your email client settings to run any malicious actions that can be accomplished using software instructions. It’s very common for an email social engineering attacker to take over a victim’s email account and use it to send valid-looking emails to the original victim’s contacts to spread some other scam to more victims. Because the emails are coming from the original victim’s real email account, the recipients are more likely to trust them.
A common real-world example is that of an attacker sending a change in payment instructions to additional victims who owe and then pay invoices to a new, malicious bank account instead of the old, valid, established bank account of the original victim. The attacker will often use rules, forms or connectors to delete the sent emails from the original victim’s Sent Items mailbox (to destroy the evidence) and to reroute any incoming email from the new victims away from the originally compromised victim so they don’t know what is going on.
But a lot more can be done using malicious rules, forms and connectors. I have seen attackers use malicious rules and forms to enable on-the-fly remote access backdoors and to remotely install hacker tools. It’s no exaggeration that an attacker can use your compromised email credentials to take over your computer and your entire organization.
Here’s an example of the latter: Malicious Outlook Rules. Here’s a demo example of using a rogue form to gain remote access: https://www.youtube.com/watch?v=XfMpJTnmoTk.
Rogue Outlook rules and forms have been written about for two decades.
I wrote about malicious Microsoft Outlook rules in 2020 here: Check Your Email Rules for Maliciousness.
Connectors
A little less known are Microsoft Exchange Connectors, and they can be abused in similar ways. I bet hundreds of thousands of Microsoft 365 admins have never heard of them. And that’s unfortunate, because they are increasingly…especially lately…being used to compromise email accounts.
Connectors are a lot like client rules but done at the Microsoft Exchange server level. Officially, Microsoft describes them as ways to control ‘mail flow’. Here are some of Microsoft’s official descriptions and documentation of Exchange Connectors.
I have known about the abuse of Exchange connectors for nearly as long as I have known about abused Outlook rules and forms. But until recently, I thought connectors were only a problem to really worry about if you had on-premises Microsoft Exchange servers. It turns out that it applies to every Microsoft 365 account as well.
A lot of companies and people have their personal email accounts set up through Microsoft 365. They send and receive email appearing as if it came from their own private email server and domain, but really it’s just being serviced by Microsoft’s cloud Exchange services as part of their Microsoft 365 subscription. And Microsoft 365 Exchange services (and Microsoft Online Protection) also have connectors.
If you service your email through Microsoft 365, you (and an attacker) have the ability to set up (malicious) connectors.
This surprised me, because I’ve been using a very small instance of Microsoft 365 (just two people, me and my wife) for a long time myself and never realized I had to worry about malicious connectors.
Malicious Connectors on the Rise
If you’ve got Microsoft 365, whether a user or an admin, you have to worry about it. There appears to be an increasing focus by online criminals to setup malicious connectors as part of their dirty work. Microsoft has started addressing this increase in malicious connectors in several related articles, including: Alert classification for malicious Exchange connectors and Respond to a compromised connector.
Connector Attack Example
Let me give you an example of a recent related attack that happened to a friend. Mind you, I consider this friend among my most savvy and scam-aware friends I have. He runs a small, profitable business. His Microsoft 365 email account was likely compromised, like most accounts are compromised – – through social engineering.
He uses multifactor authentication (MFA) to protect that account, but it’s the normal, somewhat phishable type that sends a 6-digit “one-time password” code. Likely, he mistakenly typed that code in response to a phishing email that appeared to be related to Microsoft 365, entered his logon name, password, and OTP code.
The attacker, conducting what Microsoft calls an adversary-in-the-middle attack usually steals the user’s logon session cookie, which lets the attacker operate in the security context of the user. This means they can set up rogue rules and forms, and if the compromised user also happens to be the Microsoft 365 admin, which is fairly common in smaller businesses, the attacker can also set up Exchange connectors.
The attacker sifted through my friend’s emails and found out that he had a lot of outstanding client invoices about to come in. They then emailed those clients (and hundreds of other people with other sorts of scams) and told the payers to send future invoice payments to a new bank account.
Now, anytime you get a request like this, you should pick up the phone and call the business you owe the money to, to ensure it really is them requesting that you update payment details. But none of his clients did. Instead, they did what they were told (it all looked very valid, appearing to come from him) and sent the owed money to the attacker’s bank.
The attacker used a rogue Exchange connector to help hide the emails and scam plot. It worked. My friend didn’t notice that his clients were paying someone else until at least 7 days later. He lost a substantial amount of money.
Once he realized what was going on, he called a forensics expert and got Microsoft tech support on the line. No sooner did he describe the problem than the Microsoft tech support expert immediately told him to go check his Exchange connectors (which my friend did not even know existed). My friend found a rogue connector simply labeled ‘games’.
The fact that Microsoft tech support immediately took him to the connectors tells you something about how popular the attack method is. I found several Microsoft documents referring to rogue connectors, and most of the documents were not more than a few months old.
He deleted the rogue connector, updated his email logon credentials, and is recovering as best he can from the damage. It’s not a good situation for anyone involved.
Again, as a long-time cybersecurity “expert”, the use of rogue rules, forms, and connectors is nothing new. But I was surprised that my friend’s small business using a few Microsoft 365 accounts had connectors. I went in and checked my Microsoft 365 account (I have just two accounts…my wife and I), and sure enough I had a connectors section too (but no rogue connectors).
And then it hit me, every Microsoft 365 user/admin has a connectors section. This isn’t a problem limited to a few people or just companies; it impacts hundreds of millions of users. Microsoft 365 is used by over 300 million users.
If you’ve got a Microsoft 365 account, then you are susceptible to this attack.
How Do You Find If You Have Connectors
If you are a Microsoft 365 admin, using the admin center console:
-
Go to your Microsoft 365 admin center console
-
Go to the Exchange admin center (admin.exchange.microsoft.com)
-
Click on Mail Flow
-
Click on Connectors
There are no default connectors and most instances should not have any unless you intentionally set them up. If you find one or more connectors, review them to see if they are legitimate. Microsoft warns that attackers may modify existing legitimate connectors, so make sure to examine any existing connectors for signs of malicious modification.
Defenses
Step one is always to just be aware about rogue rules, forms, and connectors, especially if you are a Microsoft Outlook or Exchange user. Gmail has something similar to rules called filters, but they aren’t nearly as powerful and don’t seem to be nearly as abused by attackers. I’m not aware if Gmail has a server-side component similar to connectors. However, other email clients offer similar mail handling features, comparable to rules, so consider checking your email client even if it isn’t Microsoft or Gmail.
Microsoft’s recommendations for finding and deleting malicious connectors: Respond to a compromised connector.
Microsoft’s recommendations for finding and deleting malicious rules: Alert classification for malicious Exchange connectors.
If you have a security monitoring product that can alert you to the presence of new rules, forms, or connectors, or modification of existing ones, definitely enable that. Most users don’t create any of them, so the new presence of one will often be an early indicator of compromise.
If possible, enable phishing-resistant MFA on all your email accounts, but especially your email admin accounts. Microsoft recommends FIDO-enabled MFA, like FIDO passkeys. Here’s my thoughts on the topic:
Don’t Use Easily Phishable MFA and That’s Most MFA!
www.linkedin.com/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes
My List of Good, Strong MFA
www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes
If you notice a sudden, unexplained increase in outbound email, change your email logon credentials and check for the presence of rogue rules, forms, and connectors.
For rogue connectors, you may see, if you are into email headers, an unexplained difference between the 5321.MailFrom address (also known as the MAIL FROM/RECPT TO address) and the 5322.From address (also known as the DISPLAY FROM address) in outbound email. For most people, these two email addresses are the same. Rogue connectors may change this if they want the victims to respond to a different domain than the one they are sending from, which is very common in real-world attacks.
The best thing you can do is educate yourself, IT, and management that a simple email account compromise can lead to a damaging compromise. And if you think your email is compromised or being used in an attack and you use Outlook and Exchange (even Microsoft 365), check your email rules, forms, and Exchange connectors.
