How Attackers Use Inbox Rules (And Why Most Breaches Go Unnoticed)
Most people think email attacks end when the phishing email is clicked.
They don’t.
Some of the most serious attacks I see don’t use malware, exploits, or special tools. Instead, they use something already built into every mailbox. Inbox rules.
Once attackers set up these rules, they often leave, but the breach can continue quietly for weeks or even months.
What Are Inbox Rules?
Inbox rules are automated settings found in email platforms such as Microsoft 365 and Google Workspace. (Manage email messages by using rules in Outlook, 2024)They’re meant to help users:
- Auto-file emails
- Flag important messages
- Forward specific mail
- Reduce inbox clutter
Attackers like them for the same reasons.
These rules work quietly, stay in place even after password changes, and often don’t set off any alerts. (Business Email Compromise Guide, n.d.)
The Attack Pattern I See Over and Over
Here’s how most inbox This is how most inbox rule attacks usually happen:
An attacker gets access through:
- Phishing
- MFA fatigue
- Reused credentials
- Legacy authentication
At this point, attackers usually don’t steal data right away. They prepare.
Step 2: Malicious Inbox Rules Are Created
Common attacker-created rules include:
- Move all emails containing words like “invoice”, “payment”, or “wire” to RSS or Archive
- Delete security alerts or MFA notifications
- Forward copies of emails to an external address
- Mark emails as read to avoid user suspicion
The user’s inbox seems normal, and But it’s quieter than it should be.
Step 3: The Attacker Waits
This stage is especially risky. Attackers monitor conversations:
- Finance threads
- Vendor communications
- Executive emails
They take time to learn how the organization works before making a move. (Inc., 2024)This is how Business Email Compromise (BEC) succeeds. (Atlam & Oluwatimilehin, 2023)
Why Users Don’t Notice Anything Wrong
Because from their perspective:
- No suspicious emails appear
- No alerts are visible
- No login failures occur
- Mail still works normally
Meanwhile:
- Critical messages are hidden
- Attackers see everything
- Security teams remain unaware
I’ve seen inbox rules survive:
- Password resets
- MFA enforcement
- Account recovery (Business Email Compromises, 2023)
If you don’t check the inbox rules directly, you can easily miss the compromise.
Why This Works So Well Against Secure Environments
Even environments with:
- MFA enabled
- Conditional Access policies
- Advanced phishing protection
can still fall victim if inbox rules aren’t monitored. Why? Because inbox rules are:
- Considered “normal user behavior.”
- Rarely audited
- Not always logged by default
- Often excluded from alerting (Office Protect Event - Suspicious Inbox Rule Detected, 2024)
Security controls focus on how attackers get in. Inbox rules are about what attackers do once they’re already inside.
Real-World Impact I’ve Seen
Inbox rule abuse often leads to:
- Fraudulent invoice payments
- Vendor impersonation
- Payroll redirection
- Executive impersonation
- Long-term surveillance of email traffic (Business Email Compromise: The 3.1 Billion Dollar Scam, 2016)
The worst part is this: Often, no one discovers the breach until the money is already gone. (Reacting slowly to a security breach opens up your business to more threats, report warns, 2025)
How to Defend Against Inbox Rule Abuse
Here’s what actually works:
1. Audit Inbox Rules Regularly
Especially for:
- Executives
- Finance users
- Shared mailboxes
- Accounts with forwarding enabled
2. Alert on Rule Creation
If your environment supports it:
- Monitor mailbox rule creation
- Alert on rules that delete or forward mail
- Flag rules created via PowerShell
3. Restrict External Forwarding
External forwarding should be:
- Disabled by default
- Explicitly approved
- Logged and reviewed
4. Review Compromised Accounts Properly
When an account is breached:
- Reset password
- Revoke sessions
- Review and remove inbox rules
- Check forwarding settings
If you skip this step, the attacker can stay in the account.
Final Thought
Inbox rules aren’t a vulnerability. They’re a blind spot. Attackers don’t need advanced malware if they can quietly change what users see, or don’t see, in their inbox.
If you only look for malicious emails, it’s already too late.
You need to look at what’s hiding them.
Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.
References
(2024). Manage email messages by using rules in Outlook. Microsoft Support. https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-in-outlook-c24f5dea-9465-4df4-ad17-a50704d66c59
(n.d.). Business Email Compromise Guide. https://www.waterisac.org/system/files/articles/PwC-Business_Email_Compromise-Guide.pdf
Inc., M. (2024). Business Email Compromise (BEC): How does it attack your business and how can you prevent it?. Macnica. https://www.macnica.co.jp/business/security/manufacturers/files/macnica_wp_0729_en.pdf
Atlam, H. F. & Oluwatimilehin, O. (2023). Business Email Compromise Phishing Detection Based on Machine Learning: A Systematic Literature Review. Electronics 12(1). https://doi.org/10.3390/electronics12010042
(June 30, 2023). Business Email Compromises. Kroll. https://its.ny.gov/system/files/documents/2023/07/dayter-m365-nyscyberconference-kroll.pdf
(2024). Office Protect Event - Suspicious Inbox Rule Detected. Office Protect. https://help.office-protect.com/en/support/solutions/articles/67000732895-office-protect-event-suspicious-inbox-rule-detected
(June 13, 2016). Business Email Compromise: The 3.1 Billion Dollar Scam. Internet Crime Complaint Center (IC3). https://www.ic3.gov/PSA/2016/PSA160614
(October 28, 2025). Reacting slowly to a security breach opens up your business to more threats, report warns. TechRadar. https://www.techradar.com/pro/security/reacting-slowly-to-a-security-breach-opens-up-your-business-to-more-threats-report-warns