How can mailbox rules be abused for ransomware persistence?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you change your password after suspecting your account was hacked. You breathe a sigh of relief. But three days later, the attacker still knows everything happening in your inbox. How? They left a trap behind before you locked them out.
That trap is a mailbox rule. Normally, rules are completely innocent. You use them to sort newsletters into folders, flag emails from your boss, or auto-reply when you're on holiday. But an attacker with temporary access to your account can create rules that keep working long after they've been kicked out.
What attackers actually set up
The most common abuse patterns look like this:
- Silent forwarding: Every email you receive gets a copy sent to an address the attacker controls. You see nothing unusual. They see everything.
- Security notification burial: Rules that move or delete emails containing words like "password reset", "sign-in from new device", or "security alert" before you ever notice them. You don't get the warning. You don't act on it.
- Recovery blocking: If your IT team or bank sends a recovery code, a rule intercepts it. The attacker gets the code. You get nothing and assume the system is broken.
- Conversation hiding: Rules that mark certain threads as read and archive them immediately, so you never see replies that might tip you off to something suspicious happening in your name.
The nasty part is that these rules survive a password reset. Changing your password revokes the attacker's login session, but it does not delete rules they already created. That's why a compromised account can stay compromised for weeks after the "fix".
How to find hidden rules
Now the process varies by platform, but the principle is the same: look at every rule, not just the ones you remember creating.
In Outlook (desktop or web), go to Settings and search for "Rules". In the web version, it's under Settings > Mail > Rules. Look for anything forwarding to an address you don't recognise, anything deleting or moving messages based on keywords like "password", "security", "login", or "verification".
In Gmail, go to Settings > See all settings > Filters and Blocked Addresses. Then separately check Settings > Forwarding and POP/IMAP, because Gmail stores auto-forwarding separately from regular filters. Both places can be abused.
In Microsoft 365 business accounts, an admin can audit all mailbox rules across the organisation using PowerShell or the Exchange Admin Center. If you're in a corporate environment and you suspect compromise, don't just check your own rules. Ask IT to run the audit at the admin level, because some rules can be hidden from the end-user view.
What recovery actually looks like
Don't just delete suspicious rules and call it done. Here's the order that matters:
- Audit and delete all rules first, before changing passwords again. If you change the password while a forwarding rule is still live, the attacker gets a copy of your new-password-confirmation email.
- Check connected apps. OAuth tokens and third-party app permissions can also survive a password reset. Revoke anything you don't recognise.
- Enable multi-factor authentication (MFA) if it wasn't on. Rules are usually planted because the account was accessed without MFA in the first place.
- Then change your password and review your recovery email and phone number (attackers sometimes update these too).
- Check sent items and deleted items for anything that went out without your knowledge during the window of compromise.
The reason this matters specifically in ransomware scenarios is that attackers often spend time in a corporate inbox gathering intelligence before deploying anything. They're reading finance threads, learning vendor relationships, spotting backup schedules. Rules let them keep reading even after an initial detection triggers a response. By the time IT thinks the incident is closed, the attacker still has a live feed.
If you're in the middle of a suspected compromise and not sure where to start, our SOS hotline is free and we'll walk through the audit with you directly.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.