MAAD-AF Modify Inbox Rules

This module allows an attacker to setup email deletion rules which can hide emails from a user’s mailbox based on attacker-defined parameters. Deleting emails can prevent the owner of a mailbox from receiving critical information, such as account security warnings, which may tip them off that their account may be compromised.

Module Overview - DRAFT

NOTE TO ENABLEMENT TEAM: We may need to find a more sustainable example to use for lab users and adjust the verbiage below accordingly.

  1. From the main Attack Arsenal menu, enter 6 for Configure Mailbox Rules to Hide Emails. Read through the MITRE information, and press <Enter> to continue.

  2. When prompted, enter a mailbox to target, or leave blank and hit <Enter> to initiate recon of available mailboxes.

    For the purposes of this lab, leave this field blank and hit <Enter>.

  3. After performing mailbox recon and when again prompted for the mailbox address to modify rules on, enter the address for the Stanley Hudson user.

  4. Next, enter a non-suspicious name for the email deletion policy. For the purposes of this lab, use the email deletion policy name assigned to you.

  5. Enter keywords for the policy rule. The rule will find incoming emails with matching keywords and delete them from the user’s Inbox.

    MAAD Inbox Rule Creation

  6. MAAD-AF will prompt the user to undo the actions just created. Select No for the purposes of this exercise.

Validation

Enter the full name of the email deletion policy which was created.