Email forwarding rules are configuration-level settings that instruct a mail server to automatically route copies of incoming messages to another address. In legitimate use, they help employees consolidate inboxes, delegate tasks, or maintain continuity during role transitions. In the hands of an attacker, they become a silent, persistent exfiltration channel that operates without any ongoing access to the compromised account.
Types of email forwarding
Not all forwarding rules are created equal. The specific mechanism used determines visibility, scope, and how difficult the rule is to detect.
- •Server-side inbox rules (Exchange Online): Created through Outlook, OWA, or PowerShell, these rules can forward, redirect, or forward-as-attachment to any address. They execute on the server regardless of whether the user is logged in. Visible in the admin center under most conditions.
- •MAPI-level rules: Created programmatically through the MAPI protocol or legacy Outlook clients. These rules are stored in the mailbox's rules table but may not appear in OWA, the Outlook desktop client, or the Exchange admin center. They are the most dangerous type because of their invisibility.
- •Transport rules (mail flow rules): Configured at the organization level by Exchange administrators. These operate before messages reach the mailbox and can forward, copy, or redirect mail for entire groups of users. Compromised admin accounts can create transport rules that affect the entire tenant.
- •SMTP forwarding: A mailbox-level setting that forwards all incoming mail to an external address at the SMTP layer. This is the simplest form of forwarding and can be configured via PowerShell or the admin center.
- •Gmail filters with forwarding: In Google Workspace, users can create filters that automatically forward messages matching specific criteria. These filters are configured through the Gmail interface or the Gmail API and operate server-side.
Legitimate vs. malicious use
Distinguishing between legitimate and malicious forwarding rules is one of the hardest challenges in email security. A CFO forwarding invoices to their assistant looks structurally identical to an attacker forwarding invoices to an external account.
Key indicators that a rule may be malicious include:
- •The destination address is in an external domain that has no business relationship with the organization.
- •The rule was created during a session flagged for anomalous sign-in behavior — unfamiliar IP address, impossible travel, or anonymous proxy.
- •The rule targets specific high-value keywords: "wire," "payment," "invoice," "confidential," "merger," "acquisition."
- •The rule includes a companion action that marks forwarded messages as read or moves them to a hidden folder, preventing the mailbox owner from noticing.
- •The destination domain was recently registered or uses a free email provider.
Attack scenarios
- •Persistent exfiltration: An attacker compromises an executive's account, creates a forwarding rule to an external address, then logs out. Even after the password is changed and the session is revoked, the forwarding rule continues to operate indefinitely.
- •Targeted interception: The attacker creates a rule that only forwards messages containing specific keywords or from specific senders, such as the organization's bank or legal counsel.
- •Supply chain compromise: After compromising a vendor's email, the attacker creates a rule that forwards all communication with a specific customer. They monitor the thread and eventually inject a fraudulent payment instruction at the right moment.
- •Multi-rule layering: Sophisticated attackers create multiple rules — one to forward, another to delete the forwarded notification, and a third to move certain replies to a hidden folder — making the entire operation invisible to the mailbox owner.
Detection challenges
Standard email security tools — secure email gateways, anti-phishing platforms, and CASB solutions — operate on the message content layer. Forwarding rules exist at the configuration layer, which is architecturally below the scope of these tools. An admin reviewing the Exchange admin center may not see MAPI-level rules. A user checking their Outlook rules may see an incomplete list. Only tools that query the mailbox rules table directly through the Graph API or MAPI protocol can provide complete visibility.
Continuous monitoring is essential because attackers frequently re-establish forwarding rules after they are removed, especially if the initial access vector has not been fully remediated.