The Hidden Threat in Your Inbox: Why Email Forwarding Rules Are a Hacker's Best Friend

The Attack No One Sees Coming

Picture this: It's a Tuesday morning, and your CFO just approved a $2.3 million wire transfer. Everything looked legitimate—the email came from a trusted vendor, the invoice matched previous ones, and the request seemed routine. Three days later, you discover the vendor never sent that email. The money is gone. And sitting quietly in your CFO's inbox rules? A forwarding rule created six months ago, silently copying every incoming email to an external address.

This isn't a hypothetical scenario. It's happening to companies every single day.

Why Attackers Love Email Rules

Here's the thing about email forwarding rules and inbox filters: they're boring. They're the digital equivalent of that filing cabinet in the corner that nobody's opened in years. And that's exactly why attackers love them.

When a threat actor compromises an email account—whether through phishing, credential stuffing, or buying credentials off the dark web—they have a decision to make. They could start sending emails immediately, but that's noisy. IT might notice. The user might notice. Instead, smart attackers do something far more insidious: they create a rule.

The typical attack pattern looks like this:

1. Compromise the account (usually through phishing)
2. Create a forwarding rule to copy all emails to an external address
3. Create an inbox rule to auto-delete or hide any security notifications
4. Log out and wait

That's it. No malware. No persistent backdoor. Just a simple configuration change that most security tools completely ignore.

The Numbers Are Staggering

According to recent data, 73% of business email compromise (BEC) attacks now involve some form of email rule manipulation. And here's the kicker: the average time to identify a data breach is 204 days (IBM Cost of a Data Breach Report 2023). That's nearly seven months of every email—every contract, every financial discussion, every strategic plan—being silently exfiltrated.

Think about what passes through your executives' inboxes in six months:

• M&A discussions
• Salary information
• Customer contracts
• Strategic plans
• Login credentials sent "temporarily"
• Password reset emails

It's not just data theft. With that level of access, attackers can craft perfect business email compromise attacks. They know your writing style. They know your vendors. They know when invoices are due and how much they're usually for.

Why Traditional Security Misses This

Your email security gateway? It's looking at incoming mail for malware and phishing links. Outbound DLP? It's checking messages you send, not configuration changes. Your SIEM? It probably doesn't even have visibility into mailbox rule creation.

This is the gap that attackers are exploiting. We've spent twenty years building higher walls around email, and attackers simply walked through the unguarded back door.

The fundamental problem is this: most security tools treat email as a message-processing pipeline. Messages come in, get scanned, and go to the inbox. But email accounts are more than that—they're configurable systems with rules, filters, delegates, and forwarding settings. And almost nobody is watching those.

What You Can Do About It

The good news? This is a solvable problem. Here's where to start:

1. Audit your current state. You might be shocked at what you find. We've seen organizations discover hundreds of unknown forwarding rules, some dating back years. You can't fix what you don't know about.

2. Enable unified audit logging. Both Microsoft 365 and Google Workspace can log mailbox rule changes. Make sure these events are being captured and reviewed.

3. Set up real-time alerting. Any new forwarding rule should trigger an immediate alert. This isn't something that should wait for a weekly log review.

4. Implement allowlists. Some forwarding is legitimate—a sales team forwarding leads to a CRM, for example. Build an allowlist of approved destinations and flag anything else.

5. Regular scanning. Don't just check once. Rules can be created at any time. You need continuous visibility, not point-in-time snapshots.

The Uncomfortable Truth

Here's what keeps security leaders up at night: right now, today, there's a decent chance someone has a forwarding rule on one of your executive accounts. Not because your security is bad, but because almost nobody is checking. The attackers know this. They've known it for years.

The question isn't whether email rule abuse is a real threat. It absolutely is. The question is whether you're going to be proactive about finding these rules before they're used for that wire fraud, that data breach, or that ransomware attack.

Because by the time you see the headline, it's already too late.

Want to see what's lurking in your organization's mailboxes? MailBreach scans every user across Microsoft 365 and Google Workspace, surfacing hidden forwarding rules and suspicious inbox configurations before attackers can exploit them.