A new study from Barracuda Networks researchers demonstrates how attackers can abuse inbox rules after gaining access to an email account. By manipulating these rules, attackers can avoid detection while siphoning information from a company’s network. These attacks rely on victims not seeing security alerts and on the attacker archiving chosen messages into discreet folders the victim does not notice.
Abusing inbox rules is a stealthy, effective tactic.
“It’s easy to carry out once an attacker has access to an account,” says Prebh Dev Singh, head of Email Protection Product Management at Barracuda. Attackers who gain entry through phishing or stolen credentials can quickly create rules that keep them hidden inside the mailbox.
Although email detection tools have improved and machine learning can more readily flag suspicious rules, Barracuda’s study shows cybercriminals still exploit this vector. Manipulated rules remain a serious threat to an organization’s data and other assets.
Because this technique is used after an account takeover, its presence is a reliable sign of an intruder in your network. “That means immediate action is required to evict them,” says Peter Graymon, head of Barracuda Networks in the Nordics.
Once an attacker has access to an email account, they can create one or more automated rules that allow continued access to the mailbox without raising suspicion. This capability can support a range of malicious activities, including:
- Stealing information or money while delaying detection. Attackers can set rules to forward messages containing sensitive, lucrative keywords such as “payment,” “invoice,” or “confidential” to an external address.
- Hiding specific incoming messages, including security alerts, by moving them to seldom-checked folders, marking them as read, or deleting them outright.
- Monitoring the victim’s activities and collecting intelligence on the person or the organization to enable follow-on attacks.
- Enabling business email compromise (BEC) schemes by creating rules that delete or divert messages from a particular colleague—such as the chief financial officer. This allows attackers to impersonate the CFO and send fraudulent payment instructions to colleagues, convincing them to transfer funds to accounts controlled by the attackers.
If an abused rule remains undetected, it can persist despite changes to the victim’s password, the activation of multi-factor authentication, the introduction of stricter conditional access policies, or even a reinstallation of the device. As long as the rule stays in place, it remains an effective tool for the attacker.
Organizations should treat signs of mailbox rule manipulation as indicators of a deeper compromise and act quickly to investigate and remediate. Key steps include auditing mailbox rules, scanning for unusual forwarding destinations, validating that security alerts reach intended recipients, and conducting a full account and network investigation to remove any lingering footholds.
Raising awareness among employees about these tactics and enforcing email hygiene—strong passwords, multifactor authentication, and targeted monitoring for abnormal rule creation—can reduce the likelihood and impact of such attacks. Security teams should also ensure detection systems are tuned to flag suspicious rule changes and automate responses to isolate compromised accounts.
Proactive monitoring, rapid incident response, and employee education are essential to defend against the quiet but powerful threat of inbox rule abuse.