Cybersecurity6 min read

Email Forwarding Rules: The Silent Backdoor in Your Inbox

By Inevat Team·July 16, 2026
Email Forwarding Rules: The Silent Backdoor in Your Inbox

Image by cottonbro studio

When a business email account is compromised, most companies follow a reasonable playbook: reset the password, enable MFA if it wasn't already on, scan the device for malware, and move on. But there's a step that gets missed far too often - and it's the one that lets the attacker maintain access long after you think the incident is resolved.

Mail forwarding rules.

How the Attack Works

Here's the typical sequence: an attacker gains access to an employee's Microsoft 365 or Google Workspace account, usually through phishing or credential stuffing. Before doing anything visible, they create an inbox rule that silently forwards a copy of all incoming email - or emails matching specific criteria like "invoice," "payment," "wire," or "bank" - to an external email address the attacker controls.

Then they wait. Sometimes for weeks. They read the forwarded emails, learn the communication patterns, understand who handles money, and identify opportunities. When they're ready, they execute - usually a Business Email Compromise attack where they impersonate a vendor or executive to redirect a payment.

Meanwhile, the original user has no idea their email is being forwarded. The rule is hidden in their mailbox settings, operating silently in the background. If the password gets changed, the forwarding rule persists. If MFA is enabled, the rule persists. The rule lives in the mailbox, not in the authentication - it doesn't need the attacker to log in again to keep working.

Why This Is So Effective

The brilliance of this attack - from the attacker's perspective - is its patience and persistence:

  • It's invisible to the user. The forwarded emails don't disappear from the inbox. The user sees everything normally. There's no indication that a copy is going somewhere else.
  • It survives credential changes. Resetting the password doesn't remove mailbox rules. Neither does enabling MFA. The rule was created when the attacker had access, and it continues to function after access is revoked.
  • It provides ongoing intelligence. The attacker doesn't need to log in again. They receive a continuous stream of business communications that they can use to plan a targeted attack at the perfect moment.
  • It's often overlooked in incident response. Most password reset procedures don't include auditing mailbox rules. If nobody checks, the forwarding rule can persist for months.

Real-World Impact

We've seen this attack vector result in six-figure losses for businesses. In one case, an attacker monitored a forwarded inbox for three weeks, learned that a construction company was about to pay a $180,000 subcontractor invoice, and sent a perfectly timed email - from a domain that was one letter off from the real subcontractor - with "updated" bank account information. The payment went to the attacker's account. By the time anyone noticed, the money was gone.

The forwarding rule had been active for 23 days. Nobody checked.

How to Detect and Prevent Forwarding Rules

Audit existing rules now. In Microsoft 365, administrators can search for forwarding rules across all mailboxes using PowerShell or the Exchange admin center. In Google Workspace, check the admin console for forwarding settings. If you find rules forwarding to external addresses that users didn't create - that's an active compromise.

Block automatic forwarding to external domains. Microsoft 365 and Google Workspace both allow administrators to create policies that prevent mailbox rules from forwarding email to external addresses. For most businesses, there's no legitimate reason for email to be auto-forwarded outside the organization. Blocking it eliminates this attack vector entirely.

Monitor for new rules. SaaS alerting tools can detect when new forwarding rules are created and alert your IT team in real time. This is one of the specific behaviors we monitor for in our managed IT clients' environments - if a forwarding rule to an external address appears, we know about it immediately.

Include rule audits in incident response. Any time an email account is compromised - or suspected to be compromised - auditing mailbox rules should be step two, right after resetting the password. Check for forwarding rules, redirect rules, delete rules (attackers sometimes create rules that automatically delete emails from certain senders to cover their tracks), and any rule the user doesn't recognize.

The Broader Lesson

Email forwarding rules are one example of a larger category of post-compromise persistence mechanisms. Attackers don't just break in and act immediately - they establish ways to maintain access and gather intelligence over time. OAuth app permissions, registered devices, trusted IPs, and mailbox rules are all mechanisms that survive a password reset.

Complete incident response means revoking all of these persistence mechanisms, not just changing the password. If your incident response checklist doesn't include auditing mailbox rules, OAuth connections, and registered devices, it has a gap - and it's a gap attackers know about and exploit.


Need help with this? We can assist.

Inevat provides managed IT and cybersecurity for businesses nationwide. Schedule a free consultation to talk through your situation.

Schedule a Free Consultation

Related Articles

Cybersecurity

Network Segmentation: The Security Control Most Businesses Skip

A flat network means one compromised device gives an attacker access to everything. Network segmentation limits the blast radius of a breach - and it's simpler to implement than most businesses think.

Read Article: Network Segmentation: The Security Control Most Businesses Skip
Cybersecurity

What Is SOC Monitoring and Why You Need It

A Security Operations Center watches your network 24/7/365 for threats automated tools miss. Here's what it does and why it matters at every size.

Read Article: What Is SOC Monitoring and Why You Need It
Cybersecurity

Ransomware: What the First 72 Hours Look Like

Small and mid-sized businesses are the primary ransomware target. Here's what happens when it hits — from the first encrypted file to the insurance call.

Read Article: Ransomware: What the First 72 Hours Look Like