Email Forwarding Rules: A Documented Threat Vector Costing Businesses Billions

This Isn't Hype. It's Documented.

When we talk about email security threats, it's easy to get lost in marketing noise. Every vendor claims their threat is the most critical. So let's cut through that entirely. This article contains no product pitches—just documented evidence from authoritative sources about why email forwarding rules and inbox filters represent a serious, ongoing threat to organizations worldwide.

The evidence comes from the FBI, CISA, MITRE, Microsoft, Google, and documented incident response cases from major breaches. Draw your own conclusions.

MITRE ATT&CK: The Industry Standard

MITRE ATT&CK is the globally recognized knowledge base of adversary tactics and techniques. It's used by security teams, governments, and vendors worldwide as the authoritative classification system for cyber threats.

Email rule abuse has two dedicated technique entries:

T1114.003 — Email Collection: Email Forwarding Rule

Direct quote from MITRE:

> "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations."

Documented procedure examples from MITRE:

• **APT1** (Chinese state-sponsored): Used email forwarding to exfiltrate data
• **Kimsuky** (North Korean state-sponsored): Created forwarding rules targeting South Korean organizations
• **Silent Librarian** (Iranian state-sponsored): Set up mail forwarding rules as part of academic espionage campaigns

Source: https://attack.mitre.org/techniques/T1114/003/

T1564.008 — Hide Artifacts: Email Hiding Rules

Direct quote from MITRE:

> "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails."

This technique is used to:

• Delete security alerts before users see them
• Hide responses from IT/security teams
• Move evidence of compromise to obscure folders

Source: https://attack.mitre.org/techniques/T1564/008/

FBI Internet Crime Complaint Center (IC3)

The FBI's IC3 tracks cybercrime losses across the United States. Business Email Compromise consistently ranks as one of the most financially devastating attack types.

2023 IC3 Report Statistics:

• **BEC losses: $2.9 billion** (single largest category of cybercrime losses)
• **21,489 BEC complaints** filed in 2023 alone
• BEC has caused **$51 billion in losses** since 2013

The FBI explicitly identifies email rule manipulation as a key technique in BEC attacks. From their guidance:

> "After compromising a victim's email account, cybercriminals often create inbox rules to automatically forward certain emails, delete security notifications, or hide communications from the legitimate account owner."

Source: FBI IC3 2023 Internet Crime Report

FBI Private Industry Notification (PIN)

The FBI has issued multiple Private Industry Notifications specifically warning about email rule abuse. These notifications go to critical infrastructure operators and major enterprises.

Key warnings include:

• Attackers maintain persistence through mailbox rules even after password resets
• Rules are often configured to target keywords like "invoice," "payment," "wire," and "bank"
• Average dwell time before detection can exceed 6 months

CISA (Cybersecurity & Infrastructure Security Agency)

CISA has published multiple advisories highlighting email rule abuse as a critical indicator of compromise.

CISA Alert AA21-008A (Microsoft 365 Security)

This alert specifically recommends:

> "Review email forwarding rules and alerts. Threat actors often create mailbox rules that automatically forward emails to external addresses. Review rules for auto-forwarding to external addresses and investigate any recent rule changes."

CISA Incident Response Recommendations

In their standard incident response guidance, CISA lists checking for malicious email rules as a critical step in any email compromise investigation:

1. Review all mailbox rules for affected accounts
2. Check for external forwarding configurations
3. Examine rules that delete, move, or mark messages as read
4. Review administrative audit logs for rule creation events

Source: CISA Microsoft 365 Security Recommendations

Real-World Breaches

SolarWinds / SUNBURST (2020)

The SolarWinds attack, attributed to APT29 (Russian SVR), was one of the most sophisticated supply chain compromises in history. It affected:

• 18,000 organizations
• Multiple U.S. government agencies
• Major technology companies including Microsoft

Email rule abuse was documented as part of the attack:

Mandiant's investigation revealed that attackers created mail flow rules to collect and exfiltrate email from targeted accounts. These rules persisted undetected for months while attackers conducted reconnaissance and lateral movement.

Source: Mandiant APT29 Report, Microsoft Security Blog

Scattered Spider (2023-2024)

The Scattered Spider threat group (also known as UNC3944) targeted major hospitality and technology companies, including:

• MGM Resorts
• Caesars Entertainment
• Multiple technology companies

Their attack methodology heavily relied on email rules:

After gaining initial access through social engineering, attackers created forwarding rules to monitor internal communications, intercept MFA reset emails, and maintain visibility into incident response efforts.

Source: CrowdStrike, Mandiant, Google Cloud Threat Intelligence

Silent Librarian / TA407 (Ongoing)

This Iranian threat group has targeted universities and research institutions worldwide since 2013. Their primary objective is stealing academic research and intellectual property.

Email forwarding is central to their operations:

According to the FBI and academic security researchers, Silent Librarian systematically creates forwarding rules in compromised faculty accounts to receive copies of research correspondence, grant applications, and unpublished papers.

Source: FBI Flash Alert, PhishLabs Research

Microsoft's Own Warnings

Microsoft has repeatedly highlighted email rule abuse in their security guidance and threat research.

Microsoft Defender for Office 365

Microsoft added specific detections for suspicious mailbox rules, including:

• **Suspicious inbox forwarding rules** — Alerts on rules forwarding to external domains
• **Suspicious inbox manipulation rules** — Detects rules that delete or move security-related emails
• **Mail forwarding configuration changes** — Monitors for forwarding changes at the mailbox level

Microsoft Security Blog

Microsoft's threat intelligence team has published multiple analyses of email rule abuse:

> "A common post-compromise technique we observe is the creation of email forwarding rules. Attackers use these to maintain visibility into an organization even if credentials are changed or access is revoked."

Exchange Online Protection Documentation

Microsoft's official documentation explicitly warns administrators to:

• Regularly audit mailbox forwarding rules
• Implement alerts for rule creation events
• Consider blocking auto-forwarding to external domains
• Review the remote domains settings that control forwarding

Google Workspace Security

Google has similarly recognized this threat vector in their security recommendations.

Gmail Forwarding Controls

Google provides administrators the ability to:

• Disable automatic forwarding
• Alert on forwarding configuration changes
• Detect suspicious filter creation

Google Workspace Security Best Practices

Google's official security guidance recommends:

> "Review email delegation and forwarding settings regularly. Unauthorized forwarding rules are a common indicator of account compromise."

Why Traditional Security Misses This

The reason email rule abuse is so effective comes down to a fundamental gap in how organizations approach email security:

1. Gateway-focused security

Most email security investments go to secure email gateways (SEGs) that scan inbound and outbound messages. Rules operate at the configuration layer—they're not messages, so they're invisible to these tools.

2. Legitimate feature

Email rules are a normal, everyday feature. Users create them constantly. There's no signature, no malware, nothing inherently "malicious" about a rule. It's pure abuse of legitimate functionality.

3. Lack of monitoring

While most organizations log authentication events, far fewer log mailbox configuration changes. Even when logged, these events often aren't monitored or alerted on.

4. Persistence through remediation

When a compromised account is detected, the standard response is to reset the password and revoke sessions. But the rules stay. Unless specifically checked and removed, they continue operating indefinitely.

The Technical Reality

For those who want the technical details, here's how these attacks work in practice:

Microsoft 365 / Exchange Online

Attackers can create rules via:

• Outlook Web Access (OWA)
• Outlook desktop client
• PowerShell (New-InboxRule cmdlet)
• Graph API
• Exchange Web Services (EWS)

Rules can be configured to:

• Forward all mail to an external address
• Forward mail matching specific criteria (sender, subject, keywords)
• Delete messages from specific senders (like [email protected])
• Move messages to hidden folders
• Mark messages as read (so the user doesn't notice unread notifications)

Google Workspace / Gmail

Attackers can create filters via:

• Gmail web interface
• Gmail API
• IMAP (in some configurations)

Filters can:

• Forward matching messages
• Skip the inbox entirely
• Mark as read
• Delete immediately
• Apply labels (to hide messages in obscure locations)

What This Means

The evidence is clear:

1. **Email rule abuse is a documented, classified attack technique** — not theoretical
2. **Nation-state actors actively use this technique** — APT29, APT1, Kimsuky, Silent Librarian, and others
3. **The financial impact is measured in billions** — $2.9B in BEC losses in 2023 alone
4. **Major organizations have been compromised** — SolarWinds, MGM, Caesars, universities worldwide
5. **Leading security authorities explicitly warn about this** — FBI, CISA, Microsoft, Google

The gap between the documented severity of this threat and the actual monitoring most organizations have in place is significant. Most organizations cannot answer a simple question: "Who has forwarding rules configured on mailboxes in our environment, and where do they send mail?"

References

• MITRE ATT&CK T1114.003: https://attack.mitre.org/techniques/T1114/003/
• MITRE ATT&CK T1564.008: https://attack.mitre.org/techniques/T1564/008/
• FBI IC3 2023 Internet Crime Report: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
• CISA Alert AA21-008A: https://www.cisa.gov/news-events/cybersecurity-advisories
• Microsoft Security Blog: https://www.microsoft.com/security/blog/
• Mandiant APT29 Research: https://www.mandiant.com/resources/insights
• CrowdStrike Scattered Spider Analysis: https://www.crowdstrike.com/adversaries/

This article is provided for educational and awareness purposes. The threats described are real and actively exploited. Organizations should evaluate their own visibility into email configuration changes and implement appropriate monitoring.