ISC StormCast for Friday, August 21st 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 21 August 2020
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, August 21st, 2020 edition of the Sandsen and Stormers Stormcast. |
| 0:08.2 | My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:14.3 | One of the issues that came up during the Sands Data Incident this month was Outlook 365 forwarding rules. And essentially what the attacker |
| 0:26.0 | did here was add forwarding rules in order to receive copies of certain emails. And this is a technique |
| 0:32.7 | that has been used quite regularly in particular in the realm of business email compromise attacks. |
| 0:40.3 | What reason Sands was able to detect this particular attack was auditing of those mail forwarding rules. |
| 0:49.3 | And today Rob has a power shell script for you to do so relatively easily. |
| 0:56.8 | And if you're saying that, hey, it's probably way too many of these rules to really figure out what's legit, what's not legit, you have to start somewhere. |
| 1:06.6 | And of course, what you will be looking for going forward is any changes to those rules. |
| 1:12.7 | And that may give you a hint as to where to look first. |
| 1:17.5 | And talking about email, one common problem, of course, with email is that it's difficult for the user to discern the actual source of an email. |
| 1:27.2 | Now, over the years, there have been some automated protocol. to discern the actual source of an email. |
| 1:33.6 | Now, over the years, there have been some automated protocols to make it easier for mail servers to classify spoofed email, for example, SPF, and DMARC. |
| 1:40.3 | But apparently Google had an interesting bug that allowed you to bypass these policies for G Suite and Gmail users. |
| 1:50.0 | The problem here was twofold. |
| 1:51.9 | First of all, it is possible to forward an email to an arbitrary recipient. |
| 1:58.2 | Now, similar features often require that you first verify that you own the receiving |
| 2:04.2 | email address, but not so with Gmail. In addition, it was possible to specify an incoming |
| 2:12.6 | mail server which you trust, which of course, as Google described, is often used for initial filters |
| 2:20.2 | like spam filters and the like. So you can actually set up a certain mail server and then |
| 2:26.2 | this mail server will be trusted by Gmail. So any email will be accepted from this mail server. Of course, the downfall here is that then you can |
| 2:37.8 | forward this email using the feature I mentioned first, and the combination of these two features |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.