- Proofpoint highlights inbox rules as key persistence tactic in email breaches
- Attackers use rules to hide alerts, forward data, and bypass password changes
- ~10% of compromised accounts in Q4 2025 had malicious rules created within seconds of access
Taking over someone’s inbox is one specific, highly popular technique cybercriminals use to maintain persistence, exfiltrate data undetected and impersonate their victims – although not malicious in itself, experts have warned.
Security researchers Proofpoint published a report highlighting the use of inbox rules in cybercrime – automated instructions that sort, move, delete or forward incoming messages based on specific conditions set by the user.
“While mailbox rules are designed to help users organize emails, attackers exploit them to delete, hide, forward or mark messages as read, and control email flow without alerting the victim,” Proofpoint warned.
The article continues below
How to detect malicious rules
“It’s more common than you think,” Proofpoint said in its report. Analyzing email breaches that occurred during Q4 2025, the researchers found that about 10% of compromised accounts had at least one malicious mailbox rule created shortly after initial access—and usually before any other malicious activity.
In fact, in some cases the rules were created five seconds after the first breach, which shows how important the technique is.
In addition to being able to monitor communications, hide emails with security warnings or read 2FA codes, there is another important benefit of email rules – maintaining persistence even after the password has been changed.
If a victim realizes their account has been compromised and simply changes the password without deleting the rules, the attackers will retain their access regardless of the credential change.
However, it is easy to find the rules. They need to be named, and Proofpoint says the best way to spot email account compromise is to go through the names once in a while. The usual names are ‘.’ ‘…’, ‘,’ or similar.
The report highlights business users (especially finance, executive, and business-oriented roles) as primary targets in business email compromise scenarios, along with university accounts (student, faculty, and dormant accounts).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
