Email exfiltration is the unauthorized transfer of sensitive information out of an organization through email channels. Unlike data exfiltration methods that rely on file transfers, USB devices, or cloud storage uploads, email-based exfiltration leverages the organization's own mail infrastructure to move data. Because email is a trusted and heavily used channel, exfiltration through mail-flow rules is exceptionally difficult to detect and can persist for months or years before discovery.
Methods of email exfiltration
Attackers use several techniques to exfiltrate data through email, each with different risk profiles and detection characteristics.
- •Forwarding rules: The most common method. The attacker creates a server-side rule that automatically forwards all incoming email — or messages matching specific criteria — to an external address. The forwarding happens at the server level, so the mailbox owner never sees a copy in their Sent folder.
- •Auto-reply abuse: The attacker configures an automatic reply that includes sensitive data in the response body. When a confederate sends a trigger email, the auto-reply returns the targeted information. This method leaves minimal forensic evidence.
- •Delegate access: Rather than creating forwarding rules, the attacker grants delegate or full-access permissions to another mailbox (often a newly created service account). They then read email directly from the delegated account without generating forwarding events.
- •Calendar and contact exfiltration: Shared calendars and contact lists can contain sensitive information. Attackers who gain mailbox access can export these items or grant external sharing permissions that persist after credential changes.
- •Outbound email from compromised accounts: The attacker manually sends emails with attachments or copy-pasted content to external addresses during active sessions. This is the most visible method but can be disguised within normal email traffic.
Dwell time: the hidden cost
Research from multiple incident response firms consistently shows that email-based exfiltration has among the longest dwell times of any attack vector. The median time between a forwarding rule being created and its discovery ranges from 120 to 200 days, with some rules operating for over a year. During that window, every email received by the compromised mailbox — including confidential legal communications, financial data, strategic plans, and personal information — is silently copied to the attacker.
The extended dwell time compounds the damage exponentially. A forwarding rule on a CEO's mailbox operating for six months does not just leak six months of email — it provides the attacker with enough context to launch secondary attacks, manipulate business negotiations, or commit targeted financial fraud.
Why DLP misses email exfiltration
Data Loss Prevention (DLP) systems are designed to scan outbound email content for sensitive patterns — credit card numbers, social security numbers, classified document markers. They apply policies to messages as they leave the organization through the mail transport pipeline.
Email forwarding rules bypass DLP in several critical ways:
- •Server-side forwarding in Exchange Online can be configured to redirect messages before DLP transport rules are evaluated, depending on the rule type and priority.
- •DLP policies typically scan message content, not mailbox configuration. A forwarding rule itself contains no sensitive data — it is merely an instruction to copy mail to another address.
- •MAPI-level forwarding rules operate within the mailbox store, below the transport layer where DLP inspection occurs.
- •Even when DLP does evaluate forwarded messages, legitimate forwarding is so common that most organizations cannot set a policy to block all external forwarding without disrupting business operations.
- •Attackers who forward only messages matching narrow keyword criteria generate low-volume traffic that falls below typical DLP alert thresholds.
Detection approaches that work
Effective email exfiltration detection requires shifting focus from message content to mailbox configuration. The goal is not to scan what is being sent, but to audit how the mail system is configured to route messages.
- •Enumerate all forwarding rules, transport rules, SMTP forwarding settings, and Gmail filters across every mailbox in the tenant. Compare against a maintained allowlist of approved forwarding destinations.
- •Monitor audit logs for rule creation, modification, and deletion events. Correlate these events with authentication logs to identify rules created during suspicious sessions.
- •Track delegate access grants and full-access permissions. Alert on permissions granted to external users or to newly created internal accounts with no prior history.
- •Implement domain-based restrictions that prevent forwarding to free email providers (gmail.com, outlook.com, yahoo.com) and recently registered domains.
- •Run automated scans on a recurring schedule. A rule removed during incident response can be silently re-created within hours if the attacker retains any form of access.
The organizations most vulnerable to email exfiltration are those that rely exclusively on message-layer security while leaving the configuration layer unmonitored. Closing this gap requires tools that operate at the mailbox configuration level — exactly where forwarding rules and inbox filters live.