Stop Auto-Forwarding and Inbox Rules Abuse

Here's what happens in a lot of email compromises that nobody talks about:

Attacker gets someone's password—usually through phishing. Instead of locking the account or changing the password immediately, the attacker creates rules. Rules that forward specific emails to an external address. Rules that delete certain emails so the owner doesn't see them.

Now the attacker has persistent access to sensitive information—payment notifications, vendor invoices, customer data—without ever triggering another login alert. They can operate for months.

This is inbox rules abuse. It's common, it's stealthy, and it's preventable.

How It Works

Step 1: Compromise the account Attacker sends a phishing email. Victim enters credentials on a fake login page. Attacker now has the password.

Step 2: Create forwarding rules Attacker logs in. Creates rules like:

• "Forward all emails with 'invoice', 'payment', or 'wire' to attacker123@gmail.com"
• "Move all emails from vendors to Deleted Items"
• "Forward all new emails to external address after 1 hour"

Step 3: Operate silently The account owner sees no unusual activity. Their emails still arrive. They don't notice anything wrong.

Step 4: Collect data Attacker receives copies of sensitive emails. Financial data. Vendor contacts. Customer information. Pricing. They sell it or use it for fraud.

The Business Impact

• Vendor payment fraud: Attacker sees invoices, modifies bank details, redirects payments
• Customer data theft: Sales pipeline, customer contacts, contract terms stolen
• Competitive intelligence: Internal communications, pricing strategies, project plans leaked
• Compliance violations: Regulations like HIPAA, PCI DSS may have been violated

Why This Happens

No monitoring Most businesses don't monitor for inbox rule creation. The rules sit there undetected.

Too many access permissions If everyone can create rules that forward externally, attackers exploit this after compromising any account.

Legacy authentication Older email protocols (IMAP, POP3) don't support modern security controls. Attackers configure email clients with stolen credentials, bypassing MFA and rule monitoring.

Slow response Password changes don't always remove active sessions. Attacker stays connected even after password reset.

What Can Go Wrong

"We changed the password but the forwarding continues" Password changed, attacker still has an active session via app password or legacy auth. Rules keep forwarding.

"The rule was created 6 months ago" You find a rule forwarding emails to a Gmail address. It was created during a phishing incident everyone forgot about. Six months of emails went to an attacker.

"Former employee's rules are still active" Employee left. Their personal account was compromised later. The forwarding rules from their work email are still active.

"The rule only forwards specific emails" Attacker was smart. Only forwards emails with "invoice" or "payment" in the subject. Owner never notices missing emails because most emails don't match the filter.

What It Costs

Prevention:

• Block external forwarding policies: $0
• Inbox rule monitoring: $0 (built into Microsoft 365 and Google Workspace audit logs)
• Employee training: $500-$2,000/year

Detection and response:

• Forensic investigation: $10,000-$50,000
• Data breach notification costs: $1,000-$50,000+
• Legal fees: $5,000-$50,000
• Lost business and reputation: Hard to quantify

Example real-world costs:

• A Louisiana healthcare provider discovered 3 months of patient emails forwarded to an external address. Regulatory notification, forensic audit, legal fees: $180,000
• A Texas construction company lost $340,000 to vendor payment fraud enabled by email forwarding rules giving attackers visibility into payment schedules

Minimum Viable Implementation

Today (High Priority)

1. Audit existing inbox rules. Check every user who handles financial or sensitive emails. Look for any forwarding rules to external addresses you didn't create.

   In Microsoft 365: Exchange Admin Center > Mailboxes > [select mailbox] > Mailbox delegation > Managed rules tab In PowerShell: Get-InboxRule -Mailbox "user@domain.com" | FL

2. Check external forwarding settings. In Microsoft 365: Exchange Admin > Mail Flow > Rules. Look for any rules forwarding to external domains.

3. Search mailbox audit logs. If you have audit logging enabled (it is by default in most Microsoft 365 plans), search for rule creation events.

This Week

4. Block external forwarding. Create a mail flow rule in Microsoft 365:

   • Condition: "The message header includes..."
   • Action: "Reject the message" or "Quarantine the message"
   • Exception: Allow your known-good forwarding if you have a legitimate business need (and document it)

5. Block legacy authentication. This is the most important step. Attackers use legacy auth to bypass MFA. Go to Exchange Admin > Mail flow > Authentication policies > Enable Basic Auth for POP3/IMAP > Set to false.

6. Alert on new inbox rules. Configure alerts in Security & Compliance Center > Alerts > Manage alerts. Alert when new inbox rules forwarding externally are created.

This Month

7. Set up conditional access policies. Require MFA for all email access, especially from non-trusted locations.

8. Disable IMAP/POP access if not needed. Most businesses don't need these protocols anymore. Turn them off.

9. Document legitimate forwarding needs. If someone has a business reason for external forwarding, document it. Review it quarterly.

10. Repeat the audit quarterly. New rules get created. People come and go. This is an ongoing process.

Vendor Questions (Copy/Paste)

1. "Can we block external forwarding at the organizational level, rather than relying on individual user settings?"

2. "How do we configure alerts when a user creates an inbox rule that forwards to an external address?"

3. "What's your audit log retention period for inbox rule creation? Can we export those logs?"

4. "Can we require admin approval for any inbox rule that forwards to an external domain?"

5. "Do you detect and block legacy authentication (IMAP/POP) attempts?"

When to Hire Help

DIY-friendly if:

• Under 25 users
• Simple email environment
• Basic understanding of Exchange Admin Center or Google Workspace Admin
• Audit logging already enabled

Get professional help if:

• Over 50 users
• Complex shared mailbox structure
• Previous phishing or compromise incidents
• No audit logging configured
• Need help setting up monitoring
• Regulatory compliance requirements

Warning signs you need help now:

• You found forwarding rules to external addresses you didn't create
• An employee reported phishing emails they responded to
• DMARC reports show unusual activity from your domain
• You can't access or don't understand your audit logs
• A former employee's inbox rules are still forwarding
• Your email traffic patterns changed unexpectedly