- Proofpoint highlights inbox rules as key persistence tactic in email breaches
- Attackers use rules to hide alerts, forward data, and bypass password changes
- ~10% of compromised accounts in Q4 2025 had malicious rules created within seconds of access
When taking over a person’s inbox, there is one specific, very popular technique cybercriminals use to maintain persistence, exfiltrate data without being spotted, and impersonate their victims - despite it not being malicious on its own, experts have warned.
Security researchers Proofpoint published a report highlighting the use of inbox rules in cybercrime - automated instructions that sort, move, delete, or forward incoming messages based on specific conditions that the user sets up.
“While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim,” Proofpoint warned.
How to spot malicious rules
“It's more common than you think,” Proofpoint said in its report. Analyzing email breaches that happened during Q4 2025, the researchers found that roughly 10% of compromised accounts had at least one malicious mailbox rule created shortly after initial access - and usually before any other malicious activity.
In fact, in some cases the rules were created five seconds after the initial breach, showing just how important the technique is.
Besides being able to monitor communications, hide security alert emails, or read 2FA codes, there is another important advantage to email rules - maintaining persistence even after the passwords are changed.
If a victim realizes their account was compromised, and simply changes the password without deleting the rules, the attackers will keep their access regardless of the credentials change.
Spotting the rules is easy, though. They need to be named, and Proofpoint says going through the names once in a while is the best way to spot email account compromise. The usual names are ‘.’ ‘...’, ‘,’, or similar.
The report highlights enterprise users (especially finance, executives, and business-facing roles) as primary targets in business email compromise scenarios, along with university accounts (students, faculty, and dormant accounts).
