When most people think about a compromised email account, they imagine losing access.
The password gets changed.
The account gets locked.
The user immediately realizes something is wrong.
But some of the most damaging email compromises work differently.
The attacker does not lock you out.
The attacker stays hidden.
And often, the mechanism is surprisingly simple:
an email forwarding rule.
Recent threat intelligence observations and public security advisories have reinforced how frequently attackers use mailbox forwarding and redirection rules to maintain persistent visibility into corporate communications.
One of the most significant examples emerged in May 2026, when active exploitation of Microsoft Exchange vulnerability CVE-2026-42897 highlighted how attackers could establish long-term access to organizational communications. Among the post-compromise techniques observed was the creation of forwarding rules that silently redirected copies of messages to external accounts controlled by the attacker.
The operational risk is substantial.
Even after a password reset, those rules may remain active.
The user believes the incident has been resolved.
The attacker continues receiving copies of emails.
The Silent Persistence Problem
From a workforce resilience perspective, forwarding rules represent a particularly dangerous form of persistence.
They create no visible disruption.
No ransomware message appears.
No files are encrypted.
No obvious alert is generated.
Business continues as usual.
Emails arrive normally.
Meetings continue.
Conversations proceed.
Meanwhile, sensitive information may be leaving the organization in real time.
This is precisely why these attacks often remain undetected for extended periods.
The compromise hides inside normal workflow.
And increasingly, modern attackers prefer trusted workflow over noisy technical disruption.
Why Email Remains a High-Value Target
Email continues to be one of the most critical operational systems inside any organization.
It contains:
• executive communications
• financial approvals
• contract negotiations
• supplier interactions
• customer information
• strategic discussions
Compromising a mailbox often provides attackers with visibility far beyond what a single endpoint compromise would offer.
This is one reason why Business Email Compromise (BEC) remains one of the most financially damaging forms of cybercrime worldwide.
According to the IBM Cost of a Data Breach Report 2025, phishing was the leading initial attack vector in Brazil, accounting for 18% of reported breaches, with an average incident cost of approximately R$ 7.18 million.
In many cases, email serves as the initial gateway.
Not because technology failed.
But because visibility failed.
The Operational Risk of Invisible Access
Many organizations invest heavily in credential protection.
And rightly so.
Strong passwords and multi-factor authentication remain essential security controls.
However, modern attackers increasingly seek something beyond credential theft.
They seek persistence.
Forwarding rules provide exactly that.
Once established, an attacker can:
• monitor financial conversations
• observe payment approval processes
• study executive communication patterns
• identify supplier relationships
• collect sensitive documents
• prepare future fraud attempts
All without creating operational noise.
The mailbox owner may never notice.
The compromise becomes part of routine business activity.
At that point, the problem is no longer purely technical.
It becomes an operational continuity issue.
Behavioral Visibility Matters
One of the recurring lessons from recent threat intelligence reporting is that visibility cannot depend exclusively on security teams.
Workforce resilience requires distributed awareness.
Employees do not need to become cybersecurity specialists.
But they do need enough operational discipline to recognize unusual conditions inside systems they use every day.
Mailbox rules are a perfect example.
Most users rarely review them.
Many do not even know they exist.
Yet they directly influence how information flows inside and outside the organization.
This creates a behavioral blind spot that attackers actively exploit.
What You Can Do on Monday Morning
The good news is that reviewing mailbox forwarding rules takes only a few minutes.
In Outlook or Outlook Web Access (OWA):
• Open Settings
• Navigate to Mail → Rules
• Review Mail → Forwarding
• Look for rules you do not recognize
• Pay particular attention to automatic forwarding or redirection to external addresses
If something appears unusual, do not immediately delete it.
Contact your IT or Security team first.
That rule may provide valuable evidence of an ongoing compromise.
Organizations should encourage employees to review mailbox rules periodically as part of normal cyber hygiene.
A simple monthly review can significantly reduce the duration of undetected compromise.
Why This Is a Workforce Resilience Issue
Within the Cyber Resilience Lifecycle Ecosystem, this challenge belongs directly to Layer II — Workforce Behavioral Resilience.
The problem is not a lack of technology.
Most organizations already deploy:
• email security controls
• identity protection
• MFA
• monitoring platforms
• threat intelligence
• detection technologies
The challenge lies in maintaining visibility into everyday operational behavior.
Modern attackers increasingly seek persistence that blends into routine activity.
Forwarding rules represent exactly that type of exposure.
The workforce layer becomes critical because employees interact with these systems every day.
And resilience improves when routine verification becomes part of normal workflow.
The Operational Lesson
Modern attacks do not always announce themselves.
Many of the most damaging compromises operate quietly.
They depend on remaining invisible.
Mailbox forwarding rules are a reminder that operational resilience is not only about detecting dramatic events.
It is also about identifying subtle changes that should not be there.
A compromised inbox rarely creates immediate disruption.
But over time, it can expose negotiations, payments, contracts, customer information, and strategic decisions.
That is why resilience depends not only on security controls.
It depends on disciplined verification.
Because the most dangerous compromises are often the ones that continue working exactly as expected.
Until someone takes the time to look.
Daniel Porta
CISO | Cyber Resilience Architect | Enterprise & Workforce Resilience
Founder – Cyber Resilience Initiatives
