Email remains one of the primary communication channels for most businesses. Because of that, it is also one of the most targeted entry points for attackers.
While phishing and credential theft get most of the attention, there is a quieter and often more persistent risk that many businesses overlook: malicious email forwarding rules.
These rules are simple, easy to create, and surprisingly effective—and once in place, they can operate unnoticed for extended periods of time.
Once an attacker gains access to a user’s email account, one of the first steps is often to establish persistence. They want to maintain visibility into communications even if the password is changed.
Forwarding rules allow them to do exactly that.
An attacker may create a rule that:
From that point forward, the attacker has ongoing access to sensitive conversations and business context.
Unlike more obvious attacks, forwarding rules do not disrupt operations.
Emails still arrive. The user continues working normally. There are no clear signs that anything is wrong.
Because of that:
In many cases, the issue is only discovered after an incident has occurred.
The risk is not just unauthorized access—it is informed access.
With visibility into internal communications, an attacker can:
This significantly increases the likelihood and impact of follow-on attacks.
Managing this risk does not require complex tooling—it requires awareness and monitoring.
Best practices include:
These controls are simple, but they close a gap that is frequently exploited.
Email security is not just about preventing access—it is about understanding what can happen after access is gained.
Forwarding rules represent a small configuration with a large potential impact. The organizations that proactively monitor and manage them are far less likely to be caught off guard by a quiet but persistent breach.