Orange County Intelligence Assessment Center, "Criminal Use of E-mail Filters to Monitor and Divert Communications." February 22, 2017. Unclassified.
National Security Archive
When criminals turned everyday email filters into covert surveillance tools, a regional intelligence hub warned that the ordinary could become the most dangerous backdoor.
Source: Orange County Intelligence Assessment Center, "Criminal Use of E-mail Filters to Monitor and Divert Communications." February 22, 2017. Unclassified. Date: Feb 22, 2017 Archive: Public Intelligence
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A New Vector in the Crime‑Tech Playbook
The February 22, 2017 bulletin from the Orange County Intelligence Assessment Center (OCIAC) is not a routine threat advisory—it is a snapshot of a moment when low‑level cyber‑crime tactics intersected with the sophisticated playbook of nation‑state actors. The document emerged from a surge of Business Email Compromise (BEC) losses that, by late 2016, had begun to eclipse traditional ransomware in the U.S. financial crime landscape. OCIAC, a regional hub of the Department of Homeland Security’s fusion‑center network, compiled the bulletin after local law‑enforcement partners reported two seemingly unrelated scams: a CFO’s mailbox hijacked to forward messages to an RSS feed, and a medical practice’s accountant account weaponized to hide wire‑transfer requests in a trash folder. Both incidents leveraged a feature most users consider harmless—email filters or rules.
From Spam Filters to Spy Tools
The bulletin’s core revelation is that once a criminal gains credential access—through password‑guessing, phishing, or even physical notes—they can re‑program the victim’s own email client to do their bidding. Rather than maintaining a persistent back‑door, the attacker embeds a rule that silently copies, redirects, or discards messages. This accomplishes two goals: continuous surveillance without logging in, and the ability to suppress any warning signs that might tip off the victim. The language of the report—“monitor victims’ e‑mail after malware removal and password changes” and “divert e‑mails that might alert the victim of a system compromise”—betrays an awareness that attackers are now treating email filters as covert exfiltration channels, not just nuisance tools.
The bulletin also cites the FIN4 group, a financially motivated threat actor linked to insider‑trading schemes. By citing a 2014 FireEye analysis, OCIAC underscores that the technique is not novel to orange‑county criminals; it is part of a broader evolution where threat actors co‑opt everyday productivity features for espionage. The inclusion of FIN4 serves a dual purpose: it validates the seriousness of the threat to local stakeholders and signals to private‑sector partners that the same tactics can appear in both small‑business scams and high‑stakes market‑manipulation operations.
Who’s Speaking, and What It Means
OCIAC’s voice is deliberately bureaucratic—marked by the “U//FOUO” classification tags and repeated cautions about handling the information. Yet the bulletin’s content is unvarnished: it lists concrete methods (password cracking, fake forms, credential‑stealing malware) and concrete crimes (stalking, corporate espionage, tax fraud). The specificity of the examples—an RSS feed, a trash‑folder rule—reveals that OCIAC analysts had direct access to incident reports, likely supplied by the FBI’s Internet Crime Complaint Center (IC3) and local police cyber units. Their recommendation to “audit e‑mail filters as part of the cyber incident response process” is a practical, low‑cost mitigation step, reflecting the agency’s focus on actionable guidance rather than abstract policy.
Why This Bulletin Still Resonates
Two trends that exploded after 2017 make the OCIAC bulletin prescient. First, the commoditization of “filter‑hijacking” kits on underground markets turned a niche technique into a plug‑and‑play module for BEC actors. Second, the rise of zero‑trust architectures has forced enterprises to scrutinize every implicit trust relationship—email rules being a prime example. Modern security platforms now flag newly created forwarding rules as suspicious, a direct response to the threat outlined in this 2017 document.
Moreover, the bulletin illustrates a shift in the attacker‑defender dynamic: criminals no longer need to install persistent malware; they can hide in plain sight by exploiting the victim’s own automation. This subtlety complicates detection, because traditional endpoint alerts may miss a rule that simply reroutes a copy of an inbox to an external address. The OCIAC’s early warning thus helped seed the now‑standard practice of “rule‑audit” in incident‑response playbooks.
In short, the Orange County Intelligence Assessment Center’s 2017 bulletin captures a pivotal moment when everyday email functionality became weaponized. It bridges local crime reports with the tactics of sophisticated threat groups, and its mitigation advice foreshadowed industry‑wide hardening measures that are still being refined today.
UNCLASSIFIED // FOR OFFICIAL USE ONLY INFORMATION BULLETIN Orange County Intelligence Assessment Center (U//FOUO) Criminal Use of E-mail Filters to Monitor and Divert Communications 22 February 2017
(U) Overview
(U//FOUO) The Orange County Intelligence Assessment Center (OCIAC) has received reporting indicating cybercriminals are manipulating e-mail filters as a means to monitor and divert e-mail communications. Cybercriminals may use malicious e-mail filters to:
- (U//FOUO) Monitor victims' e-mail after malware removal and password changes
- (U//FOUO) Monitor victims' e-mail without continuously logging in to victim accounts
- (U) Divert e-mails that might alert the victim of a system compromise
(U) Application of E-mail Filters
(U//FOUO) Cybercriminals must first gain access to victim's e-mail accounts in order to implement malicious e-mail filtering. Access might be gained by:
- (U) Password guessing
- (U) Password cracking/brute force attacks
- (U) Eliciting credentials through the use of fake websites and forms
- (U) Eliciting credentials via phone calls
- (U) Sending the victim credential-stealing malware
- (U) Exploiting documents where passwords are written down
(U//FOUO) Cybercriminals might employ this tactic in a variety of crimes and surveillance efforts, which might include:
- (U//FOUO) Stalking and cyberstalking
- (U//FOUO) Corporate, industrial, military, and economic espionage
- (U//FOUO) Tax fraud
- (U//FOUO) Mortgage fraud
- (U//FOUO) Wire transfer fraud
- (U//FOUO) Identity theft
(U) E-mail Filtering
(U) E-mail filtering is an e-mail organizational tool which allows users to label, archive, favorite, delete, or automatically forward e-mails.
(U) The word "filter" is often used interchangeably with the word "rule".
(U) Source: Gmail
This information should be considered UNCLASSIFIED // FOR OFFICIAL USE ONLY unless otherwise noted and contains information that may be exempt from public release under the Freedom of Information Act (5 USC 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with US Department of Homeland Security policies and is not to be released to the media, public or other personnel who do not have a valid "need-to-know" and shall not be distributed beyond the original addressees without prior authorization of the originator. Receipt acknowledges a commitment to comply with all applicable laws protecting privacy, civil rights, and civil liberties in the collection, use, analysis, retention, destruction, sharing and disclosure of information. If you have any questions or need additional information, please contact the OCIAC.
To report suspicious activity, submit a tip or lead at www.OCIAC.ca.gov or call 714-289-3949 UNCLASSIFIED // FOR OFFICIAL USE ONLY
UNCLASSIFIED // FOR OFFICIAL USE ONLY INFORMATION BULLETIN
(U) Incidents
(U//FOUO) Examples of incidents by which criminals used e-mail filters to facilitate crimes include:
(U//FOUO) Use of Really Simple Syndication (RSS): In late 2016, an Orange County-based critical infrastructure organization was targeted in a Business E-mail Compromise (BEC) scam why which a cybercriminal compromised a Chief Financial Officer's e-mail account. While impersonating the CFO in e-mail correspondence, the cybercriminal requested wire transfers to unauthorized bank accounts. The cybercriminal created an e-mail filter that forwarded all of the CFOs e-mails to a public RSS feed being monitored by the cybercriminal. (U) Source: iconarchive
(U//FOUO) Use of "trash" mail folder: In October 2016, an Orange County-based medical practice fell victim to a wire transfer scam. A cybercriminal compromised an accountant's e-mail account and created an e-mail filter so that all communications from other finance personnel were sent to the accountant's "trash" mail folder. Masquerading as the accountant, the cybercriminal requested wire transfers from finance department personnel. All responses to the cybercriminal's requests were filtered to the "trash" folder, out of sight of the accountant, where the cybercriminal would actively wait to respond to wire transfer correspondence. (U) Source: iconarchive
(U) Use of filters to evade security alerting: According to a 2014 FireEye report, hacking group FIN4 targeted publically traded companies and advisory firms to gain insider knowledge for trading advantage.1 FIN4 sent phishing e-mails to various targeted individuals. The phishing e-mails contained either Visual Basic Applications (VBA) macros or links to fake Microsoft Outlook Web Access (OWA) to steal usernames and passwords. Once FIN4 had access to the victims' e-mail accounts, e-mail filters were set up to automatically send any e-mails referencing "virus", "malware" or other terms that might alert the victim to a cyber intrusion directly to the victims' "trash" mail folder.
UNCLASSIFIED Subject: employee making negative comments about you and the company From:
@<compromised company's domain> I noticed that a user named FinanceBull82 (claiming to be an employee) in an investment discussion forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions.
I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropriate channels before making his post. The link to the post is located here (it is the second one in the thread):
http://forum.
/redirect.php?url=http:// %2fforum%2fequities%2f375823902%2farticle.php\par Could you please talk to him?
Thank you for the assistance,
(U) Sample phishing e-mail used by hacking group FIN4. (U) Source: FireEye
To report suspicious activity, submit a tip or lead at www.OCIAC.ca.gov or call 714-289-3949 UNCLASSIFIED // FOR OFFICIAL USE ONLY
UNCLASSIFIED // FOR OFFICIAL USE ONLY INFORMATION BULLETIN
(U) Mitigation
(U//FOUO) The Orange County Intelligence Assessment Center (OCIAC) recommends auditing e-mail filters as part of the cyber incident response process. E-mail filters that may have malicious intent include:
- (U) Sending security-related e-mails to the trash or other unattended folders
- (U) Sending e-mails to suspicious e-mail addresses
- (U//FOUO) Sending e-mails to RSS feeds
- (U//FOUO) Moving e-mail correspondence containing keywords relating to sensitive topics to suspicious folders, feeds, trash, etc. (i.e. sending e-mails with keyword “SSN” or “social security” to a suspicious e-mail address)
(U//FOUO) At an organizational level, information security professionals may consider:
- (U//FOUO) Instituting a Data Loss Prevention (DLP) policy if one does not already exist
- (U//FOUO) Logging the creation of new e-mail filters across the enterprise
- (U//FOUO) Blocking the forwarding of e-mails to e-mail addresses outside the network, if in accordance with organizational policy
- (U//FOUO) Auditing e-mail rules on a regular basis to identify malicious e-mail filters and potential insider threats
(U//FOUO) Instructions for locating e-mail filters in individual Microsoft Outlook, Gmail, and Yahoo are as follows:
| (U) Microsoft Outlook | • Click the “File” tab in Outlook • Click the “Manage Rules & Alerts” button |
|---|---|
| (U) Gmail | • Click the “Settings” wheel • Select “Settings” from the drop down. • Navigate to the “Filters and Blocked Addresses” tab |
| (U) Yahoo | • Hover over the “Settings” wheel • Select “Settings” • Click “Filters” |
(U) Note: Instructions may vary on mobile applications and in versions of these products published after the publication of this document
(U) If you have any questions regarding this information bulletin, contact the OCIAC at OCIAC@ociac.ca.gov
(U) Tracked By: (U) HSEC 8.3.1, HSEC 1.3.1, HSEC 1.4.2, OCIAC I.1.C, OCIAC III.1
¹ (U) FireEye. Hacking the streets? FIN4 likely playing the market. 2014 https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf Accessed 9 February 2017.
To report suspicious activity, submit a tip or lead at www.OCIAC.ca.gov or call 714-289-3949 UNCLASSIFIED // FOR OFFICIAL USE ONLY
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu