What is business email compromise (BEC)?

Business email compromise is a type of cyberattack where an attacker gains access to a corporate email account and uses it to defraud the organization or its partners. BEC often involves planting hidden forwarding rules to intercept invoices, wire transfer instructions, and other sensitive communications. The FBI's IC3 reports BEC as the single most costly category of cybercrime, with $2.9 billion in adjusted losses in a single reporting year.

Does MailBreach read email content?

No. MailBreach only inspects mailbox configuration metadata — forwarding rules, filters, and redirect settings. It never reads, stores, or processes email message bodies or attachments. This is a core architectural guardrail enforced at the API permission level.

Can MailBreach automatically remove malicious forwarding rules?

Yes. MailBreach supports two remediation modes. Mode B (default) presents findings for human approval before taking action. Mode C (paid tier) enables fully automated remediation with configurable guardrails — severity thresholds, allowlisted domains, and before-snapshot rollback. Every action is audit-logged and verified.

How is MailBreach different from Microsoft Defender or Google security tools?

Microsoft Defender and Google's built-in security tools focus on inbound message scanning — malware, phishing links, and spam. They do not continuously monitor mailbox-level forwarding rule configurations. MailBreach fills this specific gap by performing direct configuration inspection across every mailbox, detecting the post-compromise techniques that email gateways miss entirely.

BEC Detection

Detect Business Email Compromise Before Funds Leave the Building

BEC attacks cost organizations $2.9 billion annually. MailBreach detects the hidden forwarding rules attackers plant to intercept emails — the blind spot your SIEM and email gateway miss entirely.

Start Your Free 14-Day Trial

No credit card required. Scan your first tenant in under 5 minutes.

What Is Business Email Compromise and Why It Evades Traditional Defenses

Business email compromise (BEC) is the most financially damaging category of cybercrime tracked by the FBI. Unlike phishing campaigns that cast a wide net, BEC attacks are surgical — an attacker compromises a single mailbox, plants a hidden forwarding rule, and silently intercepts invoices, wire instructions, and confidential communications. The FBI's Internet Crime Complaint Center (IC3) reported $2.9 billion in adjusted losses from BEC in a single year, making it the costliest category by a wide margin.

The reason BEC is so effective is that it operates below the detection threshold of traditional security tools. Secure email gateways inspect inbound messages for malware and phishing links, but they have no visibility into mailbox-level configuration changes. A forwarding rule that silently copies every message containing "invoice" or "wire transfer" to an external address generates zero alerts in most environments. The attacker never needs to send another email — they simply read the intercepted traffic and strike at the right moment.

MITRE ATT&CK classifies this technique as T1114.003 (Email Forwarding Rule), and it appears in the post-compromise phase of nearly every documented BEC campaign. Detecting it requires purpose-built tooling that inspects mailbox rules across every user in the tenant — exactly what MailBreach was designed to do.

BEC accounted for $2.9B in reported losses according to FBI IC3 data
Attackers use hidden forwarding rules to silently intercept email traffic
Traditional email gateways only inspect inbound messages, not mailbox configurations
MITRE ATT&CK maps this technique to T1114.003 — Email Forwarding Rule

How Hidden Forwarding Rules Enable BEC Attacks

Once an attacker gains access to a mailbox — typically through credential phishing or token theft — they create inbox rules that forward or redirect messages to an external address they control. In Microsoft 365, these rules can be created via Outlook Web Access, PowerShell, or the Graph API. In Google Workspace, attackers use Gmail filters with automatic forwarding. In both cases, the rules are invisible to the mailbox owner unless they know exactly where to look.

The most sophisticated attackers go further. They create rules that only trigger on specific keywords — "payment," "wire," "ACH," "invoice" — so the volume of forwarded mail stays low and avoids suspicion. Some rules move intercepted messages to obscure folders or mark them as read, ensuring the legitimate owner never notices the interception. In Exchange Online, MAPI-level rules are particularly dangerous because they do not appear in the standard Outlook rules interface at all.

This is the gap MailBreach closes. By scanning every mailbox in your Microsoft 365 or Google Workspace tenant, MailBreach identifies forwarding rules that match known BEC patterns — external forwarding to freemail domains, keyword-triggered rules, rules created via API rather than the user interface, and rules that predate the user's actual onboarding date. Each finding is classified by severity using 12 detection patterns mapped to the MITRE ATT&CK framework.

Attackers create rules via OWA, PowerShell, Graph API, or Gmail filters
Keyword-triggered rules intercept only high-value messages to stay hidden
MAPI-level rules in Exchange Online are invisible in the standard Outlook interface
MailBreach scans every mailbox and classifies findings across 12 detection patterns

The SIEM Gap: Why Your Current Stack Misses BEC

Most security operations centers rely on a SIEM for detection and response. The problem is that SIEMs are only as good as the log sources feeding them — and mailbox rule creation events are notoriously unreliable in both Microsoft 365 and Google Workspace audit logs. Microsoft's Unified Audit Log can take up to 24 hours to surface mailbox rule events, and many tenants have audit logging disabled or misconfigured. Google Workspace logs forwarding changes, but filter creation with forwarding is logged differently depending on the method used.

Even when the logs arrive, most SIEM detection rules are not tuned for this specific attack pattern. Generic "new inbox rule" alerts generate enormous volumes of false positives because users create legitimate rules constantly. Without context about which external domains are authorized, which rules match known attack patterns, and which users should or should not have forwarding enabled, a SIEM alert for "new inbox rule created" is noise — not signal.

MailBreach takes a fundamentally different approach. Instead of relying on event logs, it performs direct configuration inspection — querying the Graph API and Gmail API to read the actual rules present in every mailbox. This eliminates the log latency problem entirely. Combined with domain allowlisting, pattern-based classification, and tenant-specific baselines, MailBreach turns the SIEM gap into a covered detection surface.

How MailBreach Detects and Remediates BEC Forwarding Rules

MailBreach connects to your Microsoft 365 or Google Workspace tenant via read-only API credentials and scans every mailbox for forwarding rules, filters, and redirect configurations. Each rule is evaluated against 12 detection patterns derived from real-world BEC investigations and mapped to MITRE ATT&CK T1114.003.

Findings are classified into three severity tiers. Severity 1 findings — such as forwarding to external freemail domains or rules created via API with suspicious keywords — represent active threats and can be auto-remediated in Mode C (paid tier). Severity 2 findings require human approval before action is taken (Mode B, the default). Severity 3 findings are informational and tracked for drift monitoring. Every remediation action captures a before-snapshot so rules can be rolled back if needed.

The result is a closed-loop detection and response workflow: scan, classify, remediate, verify, and audit-log. MailBreach re-reads the mailbox state after every remediation to confirm the rule was actually removed, and logs every action with the actor, timestamp, and evidence for compliance reporting.

12 detection patterns mapped to MITRE ATT&CK T1114.003
Three severity tiers with configurable remediation modes
Before-snapshot capture enables one-click rollback
Post-remediation verification confirms rule removal

Key Capabilities

Full-Tenant Mailbox Scanning

Scan every mailbox in your M365 or Google Workspace tenant for hidden forwarding rules, redirect configurations, and suspicious filters — not just a sample.

12 Detection Patterns

Each finding is classified against 12 patterns derived from real-world BEC campaigns, covering freemail forwarding, keyword-triggered rules, MAPI rules, and more.

Automated Remediation

Disable or delete malicious forwarding rules with approve-to-apply (Mode B) or fully automated remediation with guardrails (Mode C) — with rollback support.

MITRE ATT&CK Mapping

Every detection maps to T1114.003 (Email Forwarding Rule), giving SOC teams and compliance auditors a common language for threat classification.

Frequently Asked Questions

Ready to secure your email?

Start detecting hidden forwarding rules in minutes. No credit card required.

Start Your Free 14-Day Trial

Related Resources

Hidden Forwarding Rules Microsoft 365 Security MITRE T1114.003 Detection Blog