When Trusted Access Is Used for Malicious Activity

For years, monitoring the inbox rules created inside user mailboxes has been a valuable way to identify compromised accounts. Inbox rules are normally used for legitimate purposes, such as organizing messages, routing emails into folders, or helping users manage a busy inbox. However, when a mailbox is compromised, threat actors often use those same features for a very different reason. Instead of helping the user organize email, the rules are used to hide activity from the legitimate owner of the account.

In Business Email Compromise cases, this type of activity is common. A threat actor may create a rule that marks messages as read, moves emails into a folder the user rarely checks, stops additional rule processing, or deletes messages completely. Threat actors use these actions to reduce the chance that the legitimate user sees password reset notifications, security alerts, financial conversations, replies from victims, or messages related to fraudulent activity. The longer the attacker can remain unnoticed inside the mailbox, the more opportunity they have to use that access for financial gain.

What happened?

Earlier this month, SpearTip’s Identity Threat Detection and Response service detected the creation of a suspected malicious inbox rule for a user in a client environment. The detection triggered an automated response workflow that revoked active sessions and disabled the user account. At the same time, an event was generated for the SpearTip Security Operations Center to investigate.

As the analyst reviewed the alert, something immediately stood out. The rule itself appeared malicious based on its name and the actions it was configured to perform, but the activity did not come from an unfamiliar location, an unknown device, or an obviously suspicious IP address. It came from a device and IP address already known to the organization and associated with the user.

That detail changed the direction of the investigation. In many compromised account cases, suspicious activity is easier to identify because it comes from an unexpected source. A login from a new country, an unusual device, or an anonymous network can quickly raise concern. In this case, the source looked familiar. That made the behavior more important, not less.

If a threat actor can access a user’s trusted device, they can operate from inside the user’s normal environment. To many systems, the activity may appear to come from the right user, on the right device, and from the right location. The warning sign is no longer where the activity came from. The warning sign becomes what the activity is doing.

How we Responded

Based on the analyst’s findings, SpearTip expanded the investigation beyond the mailbox. Using SpearTip deployed endpoint detection and response technology, the endpoint associated with the activity was isolated and reviewed. During that review, the analyst quickly identified remote access software on the device with an active session. That finding helped explain why the malicious mailbox activity appeared to come from a trusted source.

At that point, the investigation was no longer limited to a suspicious inbox rule or a potentially stolen password. The activity now pointed to the possibility that the attacker was using the user’s own device to perform actions inside the environment. This was an important distinction, because activity from a trusted device can blend into normal user behavior unless the actions themselves are reviewed in context.

SpearTip continued to validate the scope of the activity and identified similar inbox rule behavior involving another user. While the details were not identical, the purpose appeared consistent. Mailbox rules were being used to hide activity from the legitimate user and reduce the chance that the compromise would be noticed. In some cases, the rules were no longer visible in the mailbox by the time analysts reviewed them, but audit logs confirmed the activity had occurred.

SpearTip took immediate containment actions across the impacted users and systems. Affected accounts were disabled, active sessions were revoked, credentials were reset, the impacted endpoint was isolated, the active remote access session was terminated, and suspicious files were removed. These actions helped limit the attacker’s ability to continue operating through the compromised account or trusted device.

While this method is still less common than traditional Business Email Compromise activity that begins with stolen credentials or suspicious cloud logins, SpearTip has slowly seen a rise in cases where threat actors use remote access to a legitimate user device to perform mailbox activity. This creates a more difficult challenge for defenders. If the attacker is operating from the user’s own system, the activity may not look like a typical compromise. The location may be familiar, the device may be known, and the session may appear to come from a trusted source.

The Outcome

That is why correlation between identity activity and endpoint activity is becoming increasingly important. Identity monitoring can detect suspicious actions inside the account, but when those actions originate from a legitimate device, defenders also need endpoint visibility to understand whether the device itself is being controlled or misused. In this case, the inbox rule was the signal that something was wrong, but the endpoint activity helped explain how that activity was happening from a trusted source.

Without the EDR deployment and the ability to correlate data between identities and endpoints, this activity would have been much harder to detect and validate. The investigation could have remained focused only on the mailbox. The account may have been reset, the rule may have been reviewed, and the deeper issue, remote access to the user’s device, may have gone undetected.

For organizations, this represents an important shift in Business Email Compromise activity. Attackers are not only stealing passwords or tokens and logging in from unusual locations. In some cases, they are using remote access to operate through the user’s own device, making malicious activity harder to distinguish from legitimate behavior.

SpearTip’s Managed Security Operations Center was able to detect the malicious mailbox behavior, isolate the trusted device involved, identify the active remote access session, and take containment actions across the impacted account and endpoint. What first appeared to be a suspicious inbox rule became evidence of a broader tactic: using trusted access to make malicious activity look normal.