Hackers don’t need your inbox — they just need your rules
One of the most overlooked tools in a hacker’s arsenal is something your team uses every day: inbox rules. These automated actions — meant to organize messages or reduce clutter — can be silently manipulated during an account compromise to redirect, hide, or forward sensitive communications.
Once access is gained, attackers often don’t steal data immediately. Instead, they quietly create inbox rules that give them long-term visibility without detection.
Forwarding rules open the door
A common tactic is setting up automatic forwarding to an external email address. Everything the compromised user sends or receives — especially client messages, financial details, or system notifications — is quietly copied and delivered to the attacker in real time. This happens behind the scenes, with no alerts and no malware involved.
These rules don’t trigger antivirus or EDR systems. They operate within the bounds of a legitimate login and often go unnoticed for weeks or months.
Hiding the evidence
Another technique is using rules to move certain messages to the archive, junk, or even deleted folders as soon as they arrive. This helps attackers:
-
Bury password reset attempts from Microsoft
-
Hide notifications about unusual logins
-
Suppress alerts from security monitoring tools
Because the messages were technically received, systems may consider them “delivered” — even though no one sees them.
Why this works so well
Inbox rules aren’t suspicious on their own. Most users have them. Most security teams don’t monitor them. And attackers know it.
By quietly observing a mailbox, they can learn the tone and rhythm of your business before impersonating someone internally — making phishing and BEC attacks far more believable.
Curious what rules are active in your mailboxes right now? Cloudstar can help you find out — before someone else does.