Stop Silent Leaks: Complete Guide to Email Forwarding Rules Security
02 Oct 2025
Email auto-forwarding is a favourite trick in invoice fraud and account takeovers. One sneaky rule can copy quotes, invoices, and client emails to an attacker for weeksβwithout anyone noticing. Good news: a 10-minute check closes most gaps.
Bottom line: Never rely on email alone for money movesβand donβt let forwarding rules run in the dark.
π Understanding Email Forwarding Threats
The Silent Leak Problem
Email forwarding is one of the most dangerous and overlooked security vulnerabilities in small businesses.
How Attackers Use Forwarding:
- Business Email Compromise (BEC): Attackers gain access to email accounts
- Silent monitoring: Forward all emails to attackerβs inbox
- Data exfiltration: Copy sensitive information without detection
- Payment fraud: Monitor financial transactions and redirect communications
- Persistence: Maintain access even after password changes
Why Forwarding Is So Dangerous:
- Invisible to users: Forwarding happens in the background
- No immediate detection: Users donβt know emails are being copied
- Complete access: Attackers see all incoming and outgoing emails
- Persistent threat: Forwarding continues until discovered
- Financial impact: Can lead to significant financial losses
Common Attack Scenarios:
- Invoice fraud: Attackers monitor invoice emails and redirect payments
- Client communication: Intercept and respond to client emails
- Internal communications: Monitor internal discussions and decisions
- Legal documents: Copy confidential legal information
- Strategic planning: Access business strategy and planning documents
π‘οΈ Technical Protection Strategies
Step 1: Block External Auto-Forwarding (Org-Wide)
Google Workspace Configuration:
- Admin console β Apps β Google Workspace β Gmail
- Routing/Forwarding β Disable automatic forwarding to external
- Exceptions only: Allow for documented business needs
- Regular monitoring: Review forwarding settings monthly
Microsoft 365/Exchange Configuration:
- Exchange Admin Center β Mail flow β Remote domains
- Disable automatic forwarding to external domains
- Transport rules: Block external auto-forwarding with allow-list
- Exceptions management: Document and review exceptions quarterly
Implementation Best Practices:
- Document exceptions: Keep a record of approved forwarding rules
- Regular reviews: Monthly review of all forwarding rules
- Change management: Require approval for any forwarding changes
- Audit logging: Enable logging for all forwarding changes
Step 2: Hunt for Suspicious Inbox Rules
Types of Dangerous Rules:
- Forward/redirect to addresses outside your domain
- Delete + forward or mark as read + move (hide the reply trick)
- Auto-categorize rules that hide important emails
- Filter rules that move emails to hidden folders
High-Risk Mailboxes:
- Finance: billing@, accounts@, finance@
- HR: hr@, recruiting@, payroll@
- Leadership: ceo@, owner@, president@
- Shared: info@, support@, admin@
- Legal: legal@, compliance@
Rule Investigation Process:
- List all rules for each high-risk mailbox
- Review rule purpose and destination
- Check creation date and creator
- Verify legitimacy with rule creator
- Document findings and take action
π₯ People and Process Controls
Step 3: Enable Monitoring and Alerts
Google Workspace Monitoring:
- Admin console β Security β Alerting
- Email forwarding enabled alerts
- Rule created/changed alerts
- Suspicious login alerts
- Admin activity monitoring
Microsoft 365 Monitoring:
- Microsoft 365 Defender β Unified Audit Log
- Creation of forwarding/redirect rules alerts
- Mail flow rule changes
- Admin role group changes
- Mailbox access monitoring
Alert Configuration:
- Real-time alerts for suspicious activities
- Daily summary reports for review
- Escalation procedures for critical alerts
- Documentation of all alerts and responses
Step 4: Disable Legacy Access
Legacy Access Risks:
- POP/IMAP: Older email protocols with weaker security
- App passwords: Less secure authentication methods
- Basic authentication: Username/password without MFA
- Legacy applications: Older software with security vulnerabilities
Secure Alternatives:
- Modern authentication: OAuth 2.0, OpenID Connect
- Multi-factor authentication: Required for all access
- API access: Secure API keys and tokens
- Modern applications: Updated, secure software
Implementation Process:
- Inventory all legacy access methods
- Identify business needs for each legacy method
- Migrate to modern alternatives
- Disable legacy access where possible
- Monitor for any legacy access attempts
π Complete Implementation Checklist
Technical Controls
- Block external auto-forwarding organization-wide
- Review all inbox rules for high-risk mailboxes
- Enable monitoring for forwarding and rule changes
- Disable legacy access methods where possible
- Implement MFA for all email accounts
- Configure security alerts for suspicious activities
- Document all exceptions and business justifications
- Regular security reviews of email configurations
Process Controls
- Monthly forwarding rule reviews
- Quarterly exception reviews
- Incident response procedures for forwarding leaks
- Staff training on email security awareness
- Documentation of all email security policies
- Change management procedures for email configurations
- Audit logging for all email security changes
Monitoring and Alerting
- Real-time alerts for suspicious forwarding
- Daily summary reports for email security
- Weekly reviews of security logs
- Monthly comprehensive security assessments
- Quarterly external security audits
- Annual security policy reviews
οΏ½ Incident Response for Forwarding Leaks
Immediate Response (First 5 Minutes)
- Remove suspicious rules immediately
- Screenshot evidence before removal
- Sign out all sessions from compromised accounts
- Reset passwords for affected accounts
- Enable MFA for all account access
Short-Term Response (First 24 Hours)
- Investigate scope of the forwarding leak
- Review sent mail for last 30-60 days
- Audit logs for suspicious activities
- Notify stakeholders of potential data exposure
- Implement additional security measures
Long-Term Response (First Week)
- Comprehensive security assessment
- Update security policies based on incident
- Additional training for staff
- Process improvements to prevent future incidents
- Documentation of lessons learned
π‘ Advanced Protection Strategies
Email Security Gateway
Implement advanced email filtering and protection.
Features:
- Advanced filtering: Block suspicious emails
- URL analysis: Check links for malicious content
- Attachment scanning: Scan for malware
- Sandboxing: Test suspicious emails in isolation
- Machine learning: AI-powered threat detection
Implementation:
- Cloud-based solutions: Microsoft Defender, Mimecast
- On-premises solutions: Barracuda, Proofpoint
- Hybrid solutions: Combination of cloud and on-premises
- Custom rules: Tailored to business requirements
Email Archiving and Compliance
Implement secure email archiving solutions.
Benefits:
- Data retention: Comply with regulatory requirements
- Legal hold: Preserve emails for legal proceedings
- Search capabilities: Advanced email search and discovery
- Compliance reporting: Generate compliance reports
Implementation:
- Cloud archiving: Microsoft 365, Google Vault
- On-premises archiving: Enterprise email archiving solutions
- Hybrid archiving: Combination of cloud and on-premises
- Legal hold procedures for litigation
π― Key Takeaways
Remember These Rules
- Email forwarding is a major security vulnerability
- Silent leaks can go undetected for weeks or months
- Regular monitoring is essential for detection
- Technical controls must be combined with process controls
- Staff awareness is critical for prevention
Your Action Plan
Our cybersecurity compliance kits include email security policies, inbox audit checklists, and staff training to help you lock down forwarding rules across your team.
- Block external auto-forwarding organization-wide
- Review all inbox rules for high-risk mailboxes
- Enable monitoring and alerting for suspicious activities
- Disable legacy access methods where possible
- Implement MFA for all email accounts
- Regular security reviews and assessments
- Train staff on email security awareness
Success Metrics
- Zero unauthorized forwarding rules
- All high-risk mailboxes reviewed monthly
- Real-time alerts for suspicious activities
- Staff awareness of email security threats
- Compliance with email security regulations
- Zero successful forwarding-based attacks
π Compliance and Legal Considerations
GDPR Article 32(4)
- Security of processing: Implement appropriate technical measures
- Data protection by design: Use strong authentication methods
- Access control: Limit access to authorized personnel
ISO27001 Clause 7.2.2
- Information security awareness: Train staff on security procedures
- Incident response: Document and test response procedures
- Business continuity: Ensure operations during security incidents
Industry Regulations
- HIPAA: Email security for healthcare data
- PCI DSS: Email security for payment data
- SOX: Internal controls for financial reporting
- NYDFS: Cybersecurity requirements for financial services
π Download Your Free Cyber Security Training Kit
Need ready-to-use checklists and short staff training slides?
π Download the Free Cyber Security Training Kit
π Related Resources
Internal Links:
- How to Spot Social Engineering in Messages and Meetings
- Stop Payment Fraud: A Simple Callback Playbook for Invoice & Bank-Detail Changes
- What Happens After a Phishing Click?
External Resources:
- Microsoft: Email security best practices
- Google Workspace: Email security documentation
- National Cyber Security Centre: Email security guidance
- CISA: Email security recommendations
π Estimated Reading Time: 18 minutes
π Aligned With: GDPR Article 32(4), ISO27001 Clause 7.2.2
π Target Audience: Small business owners, IT administrators, security managers
π― Learning Objectives: Understand forwarding threats, implement email security controls, prevent silent email leaks
π£ Complete Phishing Protection Kit
Get our phishing awareness training slides, staff quizzes, and prevention checklists. Everything you need to protect your team from email attacks.