The Inbox Rules Attackers Create to Stay Hidden

Why inbox rules come first

Imagine you have just broken into someone's house. Before you start taking anything, you disable the alarm system and disconnect the security cameras. That is exactly what malicious inbox rules accomplish. They disable the digital alarm system before the real operation begins.

MITRE ATT&CK tracks this technique as T1564.008 (Hide Artifacts: Email Hiding Rules). It appears in nearly every business email compromise playbook because it solves the attacker's most immediate problem: staying undetected long enough to do damage.

Without hiding rules, the compromised user would receive password reset confirmations, MFA enrollment notifications, login alerts from unusual locations, and security warnings from IT. Any one of those emails could end the operation within minutes. With the right rules in place, those emails vanish before the victim ever sees them.

The five most common hiding rule patterns

After analyzing hundreds of compromised accounts, clear patterns emerge. Attackers do not get creative here. They use the same proven templates because they work reliably across email providers.

Pattern 1: Delete emails from IT and security teams.The rule matches sender addresses or display names containing "IT," "security," "helpdesk," "admin," or "support." Any matching email is permanently deleted, bypassing the trash folder entirely. This prevents the user from seeing password reset confirmations, account lockout notices, or security team inquiries about suspicious activity.

Pattern 2: Mark alerts as read and archive. Instead of deleting (which might trigger a missing-email investigation), this subtler approach marks security notifications as read and moves them to the archive. The emails still exist, but the user never sees an unread notification. Most people never check their archive.

Pattern 3: Move to RSS or Junk folders. This is the most common pattern in practice. The rule moves targeted emails to the RSS Subscriptions folder (in Outlook) or a rarely checked label. Most users do not even know the RSS folder exists. An attacker can hide months of security alerts in a folder the victim will never open.

Pattern 4: Forward and delete. The rule forwards matching emails to an external address controlled by the attacker, then deletes the original. This serves a dual purpose: the attacker receives copies of security notifications (helping them anticipate the response) while the victim sees nothing.

Pattern 5: Keyword-based suppression.Rather than targeting specific senders, this rule matches keywords in the subject or body. Common trigger words include "suspicious," "unauthorized," "security alert," "unusual sign-in," "verify your identity," and "password changed." This catches alerts the attacker did not anticipate from senders they could not predict.

Why traditional tools miss them

Email security gateways scan inbound messages for malware, phishing links, and spam. They are designed to protect what comes into the inbox, not what happens to the inbox configuration itself. An inbox rule is an account setting, not an email. It lives outside the scope of every spam filter, antivirus tool, and email gateway on the market.

Even security information and event management (SIEM) platforms often miss these changes. While audit logs record rule creation events, most organizations do not have detection rules configured to alert on new inbox rules. The signal exists in the logs, but nobody is watching for it.

The result is a blind spot that attackers have learned to exploit systematically. The hiding rules go in within the first minute. Everything else (data exfiltration, BEC fraud, lateral movement) happens under their cover.

How to detect malicious inbox rules

Detection requires looking at a layer most security tools ignore: the mailbox configuration itself. Here is what to audit and how to identify rules that do not belong.

Audit all existing rules regularly. Most users have zero to three inbox rules, and they know what those rules do. Any rule the user does not recognize is suspicious. Rules that were created during off-hours, from an unfamiliar IP, or immediately after a sign-in from a new device deserve immediate investigation.

Flag rules that target security-related keywords.Legitimate inbox rules filter newsletters, sort project emails, or organize receipts. They do not target words like "security," "alert," "password," "MFA," or "unauthorized." A rule that suppresses emails containing those terms is almost certainly malicious.

Watch for rules that delete or redirect without user interaction. Rules that permanently delete messages (bypassing trash) or forward to external addresses are high-risk actions. Legitimate users rarely configure these behaviors, and when they do, they typically remember doing so.

Check the RSS Subscriptions and Junk folder for misplaced emails. If security alerts or IT notifications are appearing in these folders, a hiding rule is likely responsible. This is a quick manual check that can surface a compromise in minutes.

Monitor rule creation timestamps against sign-in logs. A rule created within minutes of a sign-in from a new device or unusual location is a strong indicator of compromise. The correlation between these two events is one of the most reliable detection signals available.

What makes this technique so effective

The power of hiding rules lies in their compounding effect. Every other detection mechanism in your organization becomes weaker when an attacker controls which emails the user sees.

Password reset notifications? Deleted. MFA enrollment alerts? Archived. Login alerts from a new country? Moved to RSS. Security team emails asking "Was this you?" Forwarded to the attacker, then deleted. The compromised user goes about their day with no indication anything is wrong.

This is why inbox rule monitoring is not a nice-to-have. It is the foundation of email account security. If you cannot see the hiding rules, you cannot trust any other signal.

How InboxWatch handles this

InboxWatch scans inbox rules as part of every account check. It flags rules that target security keywords, rules that forward to external addresses, rules that permanently delete messages, and rules that were created from suspicious sign-in contexts. The scan takes about 60 seconds and reads only metadata and configuration settings, never email content.

If you have never audited your inbox rules, now is the time. The hiding rules could already be in place. You would not know until you look.