Malicious Email Forwarding Rules: The Silent Threat in Cybersecurity

Hi there, I’m sitting here at my desk with my third coffee, still buzzing from the glory and madness of this year’s DefCon, especially the hardware hacking village (it’s a thrill to see old-school phreaking colliding with new-fangled gear). So yeah, I’ve been in cybersecurity since the early 2000s, but truth is I go way back to ’93 when I was a fresh-faced network admin wrangling voice and data muxing over PSTN lines. Those days were crazy — the Slammer worm hit harder than a brick wall, and the world was never the same.

But fast forward, running PJ networks and recently taking a hand in a level up of three major bank zero-trust architecture. However, here is the catch that no matter how advanced you get, few traditional tricks use by hackers still astonish people. This is one of my favorite (in the “ugh, how/why is this still working?” category) — malicious email forwarding rules.

What Are the Malicious Email Forwarding Rules?

In simple terms: it’s when hackers manipulate your email settings so your inbound emails are automatically sent to them or some place they control. Sounds low-tech? Maybe. But that’s why it’s so damn effective. The attacker doesn’t need to stand in front of your inbox staring at messages — they lay the trap and watch data flow silently out.

I recall one case years ago, with a financial client who had no clue why they were leaking data. It turned out that their Exchange server had forwards configured which were sending all emails to an unknown external address. No alerts, no immediate indications — and the staff simply kept on emailing.

Here’s the kicker: lots of email platforms (Exchange, Office 365, Google Workspace) enable users — and sometimes even apps — to set up forwarding rules. Poorly monitored richly permissive APIs are a field-day for hackers. The trick is not to break your password (though that certainly occurs) but to establish a redirect once in. The attacker then sits back and observes the data drip out over weeks or months.

How Attackers Set Them Up

This is where I start getting excited and a little irritated. In the old days when I contended with things like Slammer, it was more direct — widespread network outages, service disruptions, kazoos going off. These forwards rules are more like stealth ninjas slipping one byte at a time of data out.

Attackers usually gain access through phishing (no surprise, there), compromised credentials, or taking advantage of OAuth tokens from third-party applications with excess permissions. And once inside, here’s how the playbook reads:

• They break into the victim’s email service, often using automation scripts
• Change the inbox rules to forward incoming mail to an external address they control
• Make these rules difficult to find, e.g., nested menus or funny folder names so the user does not see them easily
• They even made conditional rules to forward only emails with sensitive keywords (Invoice, password, confidential)
• No alerts notifying users when these types of rules are created

Here’s a piece of advice I give clients when consulting on detection: it’s like a recipe for a dish—minor ingredient adjustments can have a major impact in what comes out of the oven. Always attackers are getting better at their calls. I’ve witnessed some cases that combine forwarding with deletion rules, where the auto-fired mail gets forwarded and with it gets auto-deleted from the end user’s inbox so that they cover their traces. Sneaky.

And yes — sometimes they even sit atop legacy protocols or APIs, which a lot of companies still operate due to compatibility concerns. Which is why my old-school network admin sensibilities scream, “If you’re running outdated mail servers or outdated protocols, you’re an open buffet.

Detecting and Blocking Forwarding Exploits

Detecting these forwarding rules can be difficult — especially if your monitoring tools are basic or reactive. But here’s my advice, based on scrambling in the real world and crisis calls in the middle of the night:

1. Audit forwarding rules periodically: Scripts can be scheduled to run automatically or built-in audit passwords features can be used to report all active forwarding rules. Has external addresses Unknown to your business domains
2. Set alerts up for forwarding rule changes: AI or not, you want something to alert you if an unusual rule is added in short order. At PJ Networks we deploy monitoring that alerts on any addition, modification, or deletion of forwarding rules (outbound) to external organizations.
3. Enforce strict controls on mailbox rule modification: Users don’t need complete rights to modify mailbox rules, especially in senior or sensitive roles. Sometimes less is more.
4. High-risk accounts prevent auto-forwarding: Finance, HR, legal — any department dealing with sensitive info should have auto-forwarding disabled or heavily monitored.
5. Enforcing multi factor authentication (MFA): I know, this is not new advice and sounds a bit like preaching to the choir. However, I believe MFA still makes the best first line of defence against initial compromise that leads to forwarding abuse.
6. Revoke third-party app permissions: The OAuth tokens you click OK on when you log into an app generally give the app the ability to manipulate forwarding rules. Perform regular audits and remove unnecessary permissions.

And one may wonder, Sanjay, isn’t this just basic hygiene? Yes — and no. Clean does not mean simple. Enterprise-level firms that are still missing this. Indeed, I recently cleaned up three bank networks in which forwarding rules had been without alert siphoning data for months.

The Power of PJ Networks with Email Security Solutions

Remember, you can design networks to not just close holes, but to proactively defend against unwanted guests. Now our method here takes advantage of sophisticated AI-based email monitoring—but I say that carefully: ignore all the marketing hype around AI. The difference is in training and contextual understanding.

Our solution continually tracks changes to mailbox rules throughout your email estate. Detects anomalies like:

• Forwarding rules that send mail out of the organization
• Content pattern based conditional forwarding
• Mailbox rule activity spikes for specific high-value accounts

In addition, our platform works alongside existing SIEM tools—providing your SOC teams with ongoing, actionable intelligence. And yes, we work with the big email providers to get access to their audit logs, giving you the full visibility.

Technology alone, of course, is not enough. We also do a lot of policy and training consulting — because here’s the thing — no tool is coming to save your ass if a user clicks on a phishing link and they don’t have the chops.

Conclusion

But they are not just any thieves; they are silent thieves, email forwarding rules, attackers no one expects until it’s too late. As a networking and security veteran of three decades, and after clashing with malware and worms countless times, I can tell you this approach is as old as time, yet still one of the most underestimated threats.

The silver lining? Using a proper mix of audit practices, rule enforcement, access management, and yes — well-placed AI, you can identify and stop these exploits before they’re allowed to scorch your business.

So if your practice isn’t up to date, or you’re hoping that a firewall will save you alone, my advice: wake up. E-mail is the gateway drug for data theft. Treat this like the crown jewels — protect it.

Quick Take

• Regularly audit and alert on email forwarding rule modification
• Disable external automatic forward on sensitive accounts
• Resolve permissions well, review third-party app access
• Implement layered observability (with smart alerts, if possible)
• Train your teams not to click on phishing links, you won’t eliminate that vector entirely

In my opinion? The future would seem to involve intelligent vigilance, not just the pursuit of the latest ear-catching solution. Remember when we used to believe in network perimeters? Yeah, me too. Now it’s all in the inbox.

Stay curious, stay cautious — and maybe don’t have that fourth coffee.

—Sanjay Seth PJ Networks Pvt Ltd