Who Can Read My Email?

I recently had a client who suspected that their email was being read by someone else in their company. They wanted to know if this was technically possible given their setup, which was the fairly standard Microsoft Exchange server with Outlook as the client. When including members of the IT team as possible suspects I could think of at least 7 possible attack vectors for reading someone else’s email. Starting with the most basic, these were:

Password Compromise: Failure to keep a password secret or easy to guess allows for anyone to logon to the associated email account.

Shoulder Surfing: Reading someone’s email over their shoulder or more likely when the PC is left unattended without an activated password protected screen saver. For example, during a coffee or cigarette break.

Inappropriate Permissions: Although more commonly used for Calendar access, it is possible to share your mailbox with other users in the organisation. An inappropriate general rule could allow unexpected access to the inbox. A malicious user could setup such a rule with a few minutes access to an unattended PC.

Administrator Permissions: A mail administrator can modify permissions at the server level to allow other accounts to access a mailbox.

Message Forwarding: A mail administrator can forward a copy of all incoming messages to another mailbox, completely transparent to the mailbox owner.

Anti Malware Program Abuse: Such software can often be configured to filter messages based on keywords and forward a copy of filtered emails to another mailbox. The filter can be constructed in a particular way to ensure messages from a particular user are always trapped.

Network Sniffing: By default the RPC protocol, most often used to communicate between the client and server, is not encrypted allowing the email to be intercepted and read. The same is true for the SMTP protocol which is normally used for communication between servers in an organisation or for messages destined for outside of the company.

I intend to blog in the future about how best to protect against such attacks but thought it worth while listing the basics here. Protecting your PC where the email client runs with a secure password and making sure it is not left unlocked when unattended is the obvious first step. It’s worth remembering that you also need your colleagues who receive your messages to do the same. Reviewing the permissions on your inbox is also important. If the culprit is a mail administrator, it’s much harder to defend against or even identify. S/MIME is one technology that could help although it is not appropriate in all cases. At the organisation level it is vital the IT policies make clear what is and is not permitted with regards to email. Even if you can prove someone has been reading email not destined for them, if there is not a policy in place that states that such activity is forbidden, it’s unlikely you could undertake any disciplinary action.