- Proofpoint Highlights Inbox Rules as Key Persistence Tactic in Email Leaks
- Attackers use rules to hide alerts, forward data and prevent password changes
- ~10% of compromised accounts in Q4 2025 had malicious rules created within seconds of access
When they take over a person's inbox, there is a specific and very popular technique that cybercriminals use to maintain persistence, exfiltrate data undetected and impersonate their victims, even though it is not malicious in itself, experts warned.
Security researchers Proofpoint published a report highlighting the use of inbox rules in cybercrime: automated instructions that classify, move, delete or forward incoming messages based on specific conditions set by the user.
“While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim,” Proofpoint warned.
Article continues below.
How to detect malicious rules
“It's more common than you think,” Proofpoint said in its report. When analyzing email breaches that occurred during the fourth quarter of 2025, researchers found that approximately 10% of compromised accounts had at least one malicious mailbox rule created shortly after the initial access and usually before any other malicious activity.
In fact, in some cases the rules were created five seconds after the initial infraction, which shows how important technique is.
In addition to being able to monitor communications, hide security alert emails, or read 2FA codes, email rules have another important advantage: maintaining persistence even after changing passwords.
If a victim realizes that their account has been compromised and simply changes the password without removing the rules, attackers will maintain their access regardless of the credentials change.
However, spotting the rules is easy. They need to be named, and Proofpoint says checking names from time to time is the best way to spot compromised email accounts. Common names are '.' '…', ',' or similar.
The report highlights business users (especially finance, executive, and business roles) as primary targets in business email compromise scenarios, along with university accounts (students, faculty, and inactive accounts).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
