How to stop threat actors weaponising legitimate apps like eM Client

Working in threat detection, we’re always mindful of how perfectly legitimate tools can often be subverted for malicious purposes.

For instance, there have been some notable occurrences of eM Client, a popular email and calendar, being weaponised by threat actors to achieve persistence in a compromised environment.

Let’s start with the basics.

What is eM Client?

eM Client is a comprehensive desktop client for email and calendar management available for Windows and macOS.

Initially launched by a small group of students in Prague in 2007, eM Client grew steadily over the course of the next decade. Still widely used in 2024, the client supports major email platforms like Exchange, Gmail, and Outlook, while integrating with Zoom and Microsoft Teams for online meetings.

How threat actors have exploited eM Client features for BEC attacks

Over the years the client has garnered popularity thanks to its ease-of-use and a series of value-adding features inherent on the platform.

Unfortunately, however, it’s these features that have seen it curry favour among those with malicious intent.

Features exploited by threat actors include:

• Mass Mailing: eM Client’s mass mail feature includes the ability to BCC recipients, effectively hiding the campaign. In the wrong hands, this can be misused for spam campaigns, particularly effective during the free 30-day trial period.
• Invisibility of actions: Users can configure eM Client not to mark emails as read or to store sent emails in the Sent folder. This allows unscrupulous activity to stay under the radar. Making it much harder for compromised users to notice suspicious actions.
• Email exfiltration: eM Client has a built-in email download function that allows the user to download all emails from any accessible inbox, including shared mailboxes. It’s a feature that can be exploited as a potent tool for data exfiltration by threat actors.

Achieving persistence

Achieving persistence in a cloud environment is a novel form of avoiding detection and maintaining a foothold within a target’s estate. Threat actors have been observed in the wild installing eM Client as a means of bypassing multifactor authentication (MFA) requirements in Azure environments.

This has been achieved by threat actors by first compromising a user account, adding eM Client as an Enterprise Application, and then configuring it with the following delegated permissions:

• AccessAsUser.All – This configures eM Client to have the same access to mailboxes as the signed in (and now compromised) user account, via Exchange Web Services.
• Offline_access – This permission allows an application to maintain access to data it’s already been given access to. In effect, the application will continue to receive new session tokens for as long as it’s set to receive them, without user input. Which means that even after access to the compromised user account has been removed, the threat actor would continue to receive, read, and send emails on behalf of the user – achieving persistence.

Mitigation steps

Let’s look at the different approaches you can take to mitigate against this kind of compromise, dependent on if you’re an E5 licence holder or not.

For E5 licence holders

In this scenario, we recommend Unsanctioning the application in Microsoft Defender XDR. You can do this by configuring the following:

1. Log in to your organisation’s Defender portal at security.microsoft.com
2. In the Cloud apps blade select the Cloud app catalog section
3. In the filters, enter the name of the application: eM Client
4. In actions, select “Unsanctioned”

Then:

1. Navigate to the “Settings” blade
2. Select Cloud apps
3. Under Cloud Discovery select Microsoft Defender for Endpoint