When a business email account is compromised, most companies follow a reasonable playbook: reset the password, enable MFA if it wasn't already on, scan the device for malware, and move on. But there's a step that gets missed far too often - and it's the one that lets the attacker maintain access long after you think the incident is resolved.
Mail forwarding rules.
How the Attack Works
Here's the typical sequence: an attacker gains access to an employee's Microsoft 365 or Google Workspace account, usually through phishing or credential stuffing. Before doing anything visible, they create an inbox rule that silently forwards a copy of all incoming email - or emails matching specific criteria like "invoice," "payment," "wire," or "bank" - to an external email address the attacker controls.
Then they wait. Sometimes for weeks. They read the forwarded emails, learn the communication patterns, understand who handles money, and identify opportunities. When they're ready, they execute - usually a Business Email Compromise attack where they impersonate a vendor or executive to redirect a payment.
Meanwhile, the original user has no idea their email is being forwarded. The rule is hidden in their mailbox settings, operating silently in the background. If the password gets changed, the forwarding rule persists. If MFA is enabled, the rule persists. The rule lives in the mailbox, not in the authentication - it doesn't need the attacker to log in again to keep working.
Why This Is So Effective
The brilliance of this attack - from the attacker's perspective - is its patience and persistence:
- It's invisible to the user. The forwarded emails don't disappear from the inbox. The user sees everything normally. There's no indication that a copy is going somewhere else.
- It survives credential changes. Resetting the password doesn't remove mailbox rules. Neither does enabling MFA. The rule was created when the attacker had access, and it continues to function after access is revoked.
- It provides ongoing intelligence. The attacker doesn't need to log in again. They receive a continuous stream of business communications that they can use to plan a targeted attack at the perfect moment.
- It's often overlooked in incident response. Most password reset procedures don't include auditing mailbox rules. If nobody checks, the forwarding rule can persist for months.
Real-World Impact
We've seen this attack vector result in six-figure losses for businesses. In one case, an attacker monitored a forwarded inbox for three weeks, learned that a construction company was about to pay a $180,000 subcontractor invoice, and sent a perfectly timed email - from a domain that was one letter off from the real subcontractor - with "updated" bank account information. The payment went to the attacker's account. By the time anyone noticed, the money was gone.
The forwarding rule had been active for 23 days. Nobody checked.
How to Detect and Prevent Forwarding Rules
Audit existing rules now. In Microsoft 365, administrators can search for forwarding rules across all mailboxes using PowerShell or the Exchange admin center. In Google Workspace, check the admin console for forwarding settings. If you find rules forwarding to external addresses that users didn't create - that's an active compromise.
Block automatic forwarding to external domains. Microsoft 365 and Google Workspace both allow administrators to create policies that prevent mailbox rules from forwarding email to external addresses. For most businesses, there's no legitimate reason for email to be auto-forwarded outside the organization. Blocking it eliminates this attack vector entirely.
Monitor for new rules. SaaS alerting tools can detect when new forwarding rules are created and alert your IT team in real time. This is one of the specific behaviors we monitor for in our managed IT clients' environments - if a forwarding rule to an external address appears, we know about it immediately.
Include rule audits in incident response. Any time an email account is compromised - or suspected to be compromised - auditing mailbox rules should be step two, right after resetting the password. Check for forwarding rules, redirect rules, delete rules (attackers sometimes create rules that automatically delete emails from certain senders to cover their tracks), and any rule the user doesn't recognize.
The Broader Lesson
Email forwarding rules are one example of a larger category of post-compromise persistence mechanisms. Attackers don't just break in and act immediately - they establish ways to maintain access and gather intelligence over time. OAuth app permissions, registered devices, trusted IPs, and mailbox rules are all mechanisms that survive a password reset.
Complete incident response means revoking all of these persistence mechanisms, not just changing the password. If your incident response checklist doesn't include auditing mailbox rules, OAuth connections, and registered devices, it has a gap - and it's a gap attackers know about and exploit.
