- Proofpoint Highlights Inbox Rules as Key Persistence Tactic for Email Breaches
- Attackers use rules to hide alerts, transfer data, and bypass password changes.
- About 10% of compromised accounts in Q4 2025 had malicious rules created within seconds of access.
When taking over a person’s inbox, cybercriminals use a specific technique that’s popular to maintain persistence, exfiltrate data without being detected, and impersonate their victims – even if it’s not malicious in itself, experts have warned.
Security researchers Proofpoint have released a report highlighting the use of inbox rules in cybercrime: automated instructions that sort, move, delete or forward incoming messages based on specific conditions set by the user.
“While mailbox rules are designed to help users organize their emails, attackers exploit them to delete, hide, forward, or mark messages as read, thereby silently controlling the email flow without alerting the victim,” Proofpoint warned.
Article continues below
How to Spot Malicious Rules
“It’s more common than you think,” Proofpoint said in its report. Analyzing email breaches that occurred during the fourth quarter of 2025, researchers found that approximately 10% of compromised accounts had at least one malicious mailbox rule created shortly after initial access – and usually before any other malicious activity.
In fact, in some cases the rules were created five seconds after the initial violation, demonstrating the importance of the technique.
In addition to being able to monitor communications, hide security alert emails, or read 2FA codes, email rules have another important benefit: maintaining persistence even after passwords are changed.
If a victim realizes their account has been compromised and simply changes their password without removing the rules, attackers will retain their access regardless of the credentials change.
However, it is easy to spot the rules. They need to be named, and Proofpoint says that looking at the names from time to time is the best way to detect a compromise of an email account. The usual names are ‘.’ ‘…’, ‘,’ or similar.
The report highlights enterprise users (particularly finance, executives, and business-facing roles) as primary targets in business email compromise scenarios, as well as university accounts (students, faculty, and dormant accounts).
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
