Introduction
Email remains one of the primary communication channels for most businesses. Because of that, it is also one of the most targeted entry points for attackers.
While phishing and credential theft get most of the attention, there is a quieter and often more persistent risk that many businesses overlook: malicious email forwarding rules.
These rules are simple, easy to create, and surprisingly effective—and once in place, they can operate unnoticed for extended periods of time.
How Forwarding Rules Are Used in Attacks
Once an attacker gains access to a user’s email account, one of the first steps is often to establish persistence. They want to maintain visibility into communications even if the password is changed.
Forwarding rules allow them to do exactly that.
An attacker may create a rule that:
- Forwards all incoming emails to an external address
- Redirects emails containing certain keywords (like “invoice” or “wire”)
- Moves certain emails out of the inbox to avoid detection
From that point forward, the attacker has ongoing access to sensitive conversations and business context.
Why This Often Goes Unnoticed
Unlike more obvious attacks, forwarding rules do not disrupt operations.
Emails still arrive. The user continues working normally. There are no clear signs that anything is wrong.
Because of that:
- The compromise can persist longer
- Sensitive conversations can be monitored in real time
- Financial or operational targeting becomes more precise
In many cases, the issue is only discovered after an incident has occurred.
The Business Risk
The risk is not just unauthorized access—it is informed access.
With visibility into internal communications, an attacker can:
- Time phishing attempts more effectively
- Impersonate leadership or vendors convincingly
- Intercept financial discussions
- Gain insight into operational decisions
This significantly increases the likelihood and impact of follow-on attacks.
What Organizations Should Be Doing
Managing this risk does not require complex tooling—it requires awareness and monitoring.
Best practices include:
- Regular review of mailbox rules, especially external forwarding
- Alerting on new forwarding rules or changes
- Disabling automatic external forwarding where possible
- User awareness training focused on account compromise scenarios
- Monitoring unusual login and access behavior
These controls are simple, but they close a gap that is frequently exploited.
Conclusion
Email security is not just about preventing access—it is about understanding what can happen after access is gained.
Forwarding rules represent a small configuration with a large potential impact. The organizations that proactively monitor and manage them are far less likely to be caught off guard by a quiet but persistent breach.
Clint Underwood
