Stop Hidden Email Exfiltration in Google Workspace
Gmail filters and forwarding rules are the attacker's favorite persistence mechanism. MailBreach scans every user's mailbox for unauthorized forwarding configurations that the Admin Console doesn't surface.
14-day free trial. Connect in under 5 minutes. No DNS or routing changes.
How Attackers Exploit Gmail Forwarding and Filters
Google Workspace provides users with powerful email management tools — Gmail filters can automatically label, archive, forward, or delete messages based on sender, subject, keywords, and more. While these features boost productivity, they also give attackers a potent persistence mechanism after an account compromise.
Once an attacker gains access to a Google Workspace account — typically through credential phishing, OAuth consent phishing, or session cookie theft — they create Gmail filters that silently forward emails matching specific criteria to an external address. A filter forwarding messages containing "invoice," "payment," or "wire" to a disposable email account can operate undetected for months. The forwarded copies never appear in the user's Sent folder, and the original messages may be automatically archived or marked as read.
Google Workspace also supports account-level forwarding, where every message received by a user is copied to another address. While admins can disable this at the organizational unit level, many organizations leave it enabled for legitimate workflows. Attackers exploit this by adding their external address as a forwarding target — a change that generates a confirmation email the attacker intercepts before the user notices.
- Gmail filters can forward, archive, and hide intercepted messages silently
- Keyword-triggered filters target high-value messages (invoices, payments, contracts)
- Account-level forwarding copies every inbound message to an external address
- OAuth consent phishing grants persistent access without triggering MFA prompts
What the Google Admin Console Misses
Google Workspace provides an Admin Console with security investigation tools, audit logs, and alert capabilities. Admins can view forwarding settings at the user level and inspect the audit log for filter creation events. However, there are significant gaps in this built-in visibility.
The Admin Console does not provide a consolidated, tenant-wide view of all Gmail filters across all users. To inspect a specific user's filters, an admin must navigate to that user's settings individually — an approach that simply does not scale for organizations with hundreds or thousands of users. There is no native way to search across all users for filters that forward to external domains, match specific keywords, or were created within a suspicious timeframe.
Audit logs in Google Workspace record filter creation and modification events, but these logs must be actively monitored and correlated with threat intelligence to be useful. Most organizations export these logs to a SIEM, but without purpose-built detection rules for Gmail filter abuse patterns, the events are lost in the noise of legitimate filter activity. MailBreach eliminates this gap by performing direct API inspection of every user's filters and forwarding settings, surfacing only the configurations that match known attack patterns.
- No tenant-wide view of Gmail filters across all users in the Admin Console
- Individual user inspection does not scale beyond small organizations
- Audit logs require active monitoring and SIEM correlation to be useful
- MailBreach inspects every user's filters via API and flags only suspicious patterns
How MailBreach Protects Google Workspace Tenants
MailBreach connects to your Google Workspace domain using a service account with domain-wide delegation. Setup takes under five minutes — create a service account in the Google Cloud Console, grant the necessary API scopes, and authorize MailBreach. No third-party marketplace app installation, no DNS changes, no email routing modifications.
Once connected, MailBreach scans every user in your domain for Gmail filters with forwarding actions, account-level forwarding settings, and delegate access configurations. Each finding is evaluated against 12 detection patterns that cover external forwarding to freemail providers, keyword-triggered filters, filters that auto-delete or archive intercepted messages, and forwarding to domains not on your organization's allowlist.
Findings are classified by severity and presented in a unified dashboard alongside any Microsoft 365 findings. Organizations running both Google Workspace and M365 — common in mid-market and enterprise environments — get a single pane of glass for forwarding rule detection across both platforms. Remediation actions (disable filter, remove forwarding address) follow the same approve-or-automate workflow, with before-snapshots and post-action verification built in.
- Service account with domain-wide delegation — no marketplace app required
- Scans Gmail filters, account forwarding, and delegate access for every user
- Unified dashboard for organizations running both Google Workspace and M365
- Same severity classification and remediation workflow across both platforms
Key Capabilities
Gmail Filter Scanning
Inspects every Gmail filter in every user's mailbox for forwarding actions, auto-delete rules, and keyword-based interception patterns used in BEC attacks.
Forwarding Address Detection
Identifies account-level forwarding configurations, including pending forwarding addresses that haven't been confirmed yet — a telltale sign of an active compromise.
Domain Allowlisting
Configure trusted domains so MailBreach only flags forwarding to unauthorized destinations. Reduces false positives for organizations with legitimate external forwarding workflows.
Cross-Platform Visibility
A single dashboard for Google Workspace and Microsoft 365. Ideal for organizations running hybrid environments or migrating between platforms.
Frequently Asked Questions
Ready to secure your email?
Start detecting hidden forwarding rules in minutes. No credit card required.
Scan Your Google Workspace Free