Why doesn't my DLP solution catch email forwarding exfiltration?

Traditional DLP inspects outbound email for sensitive content patterns at the point of sending. Server-side forwarding rules bypass this because the forwarding occurs as a legitimate mail flow operation within Exchange or Gmail, not as a user-initiated send action. DLP doesn't inspect mail flow configurations.

How long can a hidden forwarding rule go undetected?

Without proactive detection, hidden forwarding rules can persist for months or even years. In real incident response cases, forwarding rules have been found 6-12 months after the initial breach was supposedly remediated. MailBreach's continuous scanning catches new rules within hours.

Does resetting a user's password remove forwarding rules?

No. Resetting a password revokes the attacker's ability to log in, but it does not modify inbox rules. Forwarding rules created during a compromise continue to operate after a password reset. This is one of the most common mistakes in BEC incident response.

Can MailBreach detect forwarding set up at the admin level?

Yes. MailBreach scans not just individual inbox rules but also transport rules, mail flow connectors, and admin-level forwarding configurations. This covers scenarios where attackers with admin access configure organization-wide forwarding or create transport rule exceptions.

Post-Compromise Detection

Detect Email Exfiltration Before It's Too Late

Attackers don't just read your email — they set up persistent forwarding rules that silently copy every message to mailboxes they control. MailBreach detects this exfiltration channel across Microsoft 365 and Google Workspace.

Detect Email Exfiltration Now

Free 14-day trial. Connect your M365 or Google Workspace tenant in minutes.

How Email Exfiltration via Forwarding Rules Works

Email exfiltration through forwarding rules is one of the most effective and least detected data theft techniques in modern business email compromise attacks. After an attacker gains access to a mailbox — typically through credential phishing, password spraying, or OAuth consent phishing — they create an inbox rule that automatically forwards or redirects incoming email to an external address they control. The rule runs server-side, so it operates even when the victim isn't logged in.

What makes this technique particularly dangerous is its persistence. Even after the initial compromise is detected and the attacker's access is revoked (by resetting passwords, revoking sessions, or rotating OAuth tokens), the forwarding rule remains active in the mailbox. It continues to copy incoming email to the attacker's address indefinitely unless someone specifically checks for and removes it. In many incident response engagements, these rules are found weeks or months after the initial breach was "remediated."

Attackers have become increasingly sophisticated in how they configure these rules. Rather than forwarding all email (which is more likely to be noticed), they target specific messages using keyword filters — matching on terms like "invoice," "wire transfer," "payment," "confidential," or "contract." This selective exfiltration reduces the volume of forwarded mail, making it harder to detect through mailbox size anomalies or mail flow reports.

Forwarding rules persist even after passwords are reset and sessions are revoked
Server-side rules run 24/7 regardless of whether the user is logged in
Keyword-targeted rules selectively exfiltrate high-value messages
Rules can forward, redirect, or BCC to external addresses outside your domain

Why Traditional DLP Misses Forwarding Rule Exfiltration

Traditional Data Loss Prevention (DLP) solutions focus on preventing sensitive data from leaving the organization through monitored channels: email attachments, cloud storage uploads, USB drives, and web uploads. They apply content inspection and policy enforcement at the point of egress. However, email forwarding rules exploit a fundamental gap in this model — the forwarding happens at the mail server level as a legitimate mail flow operation, not through a monitored DLP channel.

Microsoft 365's built-in DLP capabilities can inspect outbound email for sensitive content patterns (like credit card numbers or social security numbers), but they typically don't flag server-side forwarding rules as a DLP event. The forwarded email appears to Exchange Online as a normal internal-to-external mail delivery, not as a user-initiated send action. Transport rules can block external forwarding, but many organizations haven't implemented them — and attackers who gain admin access can modify transport rules to create exceptions.

Security Information and Event Management (SIEM) systems face a similar blind spot. SIEMs are excellent at detecting anomalous login activity — unusual locations, impossible travel, new devices — but they typically lack visibility into the specific inbox rules configured within individual mailboxes. The Microsoft 365 unified audit log does record inbox rule creation events, but these events are often buried in millions of log entries and require specific detection rules that many organizations haven't configured.

Post-Compromise Email Detection with MailBreach

MailBreach is purpose-built for post-compromise email detection. Rather than trying to prevent the initial account compromise (which is the job of your identity provider, MFA, and email gateway), MailBreach focuses on detecting the persistence mechanisms attackers install after they gain access. The most common and most damaging of these mechanisms is the email forwarding rule.

When you connect MailBreach to your Microsoft 365 or Google Workspace tenant, it performs a complete scan of every mailbox to enumerate all inbox rules, mail forwarding settings, and mail flow configurations. Each rule is analyzed against 12 detection patterns that map to known attacker tactics. Rules that forward to external domains are flagged. Rules that target specific keywords are escalated. Rules created through the MAPI API (which are invisible in Outlook and OWA) receive the highest severity.

MailBreach's baseline comparison approach is particularly effective for detecting exfiltration. After the initial scan, MailBreach maintains a record of all known-good rules in your environment. Any new rule that appears is immediately flagged and compared against your domain allowlist. This means that even if an attacker creates a forwarding rule to a domain that looks legitimate (like a typosquatted version of your company name), MailBreach will detect it as a new, unauthorized rule.

Scans all mailboxes for forwarding rules, including hidden MAPI-level rules
12 detection patterns mapped to known BEC and exfiltration tactics
Baseline comparison catches new rules even on legitimate-looking domains
Automated remediation can disable exfiltration rules without waiting for manual review

The Real Cost of Undetected Email Exfiltration

The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise caused over $2.9 billion in losses in 2023 alone. A significant portion of these losses involve email exfiltration — attackers monitoring forwarded email to learn about pending transactions, then inserting themselves into conversations at the right moment to redirect payments to accounts they control.

Beyond direct financial losses, email exfiltration creates regulatory and legal exposure. If forwarded email contains personally identifiable information (PII), protected health information (PHI), or financial data, the exfiltration may trigger notification obligations under GDPR, HIPAA, state breach notification laws, or industry-specific regulations. The longer a forwarding rule persists undetected, the larger the scope of the breach and the greater the compliance burden.

There's also the competitive intelligence dimension. Forwarded email can contain trade secrets, pricing information, product roadmaps, legal strategy, M&A plans, and other sensitive business information. Competitors, nation-state actors, and corporate espionage operations use email exfiltration to gain strategic advantage. Unlike financial fraud, this type of data theft may never be discovered without proactive detection of the forwarding mechanism.

Key Capabilities

External Forwarding Detection

Identifies every inbox rule, transport rule, and forwarding configuration that sends email outside your organization's domain list.

Keyword-Targeted Rule Alerts

Flags forwarding rules that filter on financial keywords like 'invoice,' 'wire,' or 'payment' — a hallmark of BEC exfiltration campaigns.

Persistence Detection

Finds forwarding rules that survived password resets and session revocations, ensuring your incident response actually removed all attacker persistence.

Automated Remediation

Disable or delete exfiltration rules directly from the dashboard. Auto-remediation mode handles Severity 1 rules without waiting for manual approval.

Frequently Asked Questions

Ready to secure your email?

Start detecting hidden forwarding rules in minutes. No credit card required.

Detect Email Exfiltration Now

Related Resources

BEC Detection Hidden Forwarding Rules MITRE T1114.003 Coverage