The Threat Your Antivirus Can't See
Your spam filter catches phishing. Your antivirus catches malware. Nothing checks if someone already has a key to your inbox.
Your email security has a blind spot
Most businesses run antivirus software. Most have spam filters turned on. Many have invested in phishing training. These tools are good at what they do: catching malicious attachments, filtering obvious scams, and blocking known bad senders.
But they all share the same assumption: the threat is coming in.
What happens when the threat is already inside?
The attack that lives in your settings
Business Email Compromise (BEC) cost organizations $2.9 billion in 2023, according to the FBI's Internet Crime Complaint Center. It's the most expensive category of cybercrime, more costly than ransomware.
Here's what makes BEC different from phishing: the attacker doesn't need you to click a link every time. They compromise your account once (through credential stuffing, a phished password, or a stolen session token), then set up persistence mechanisms that let them monitor your email silently for weeks or months.
These persistence mechanisms live in your email settings:
- Forwarding rules that silently copy every incoming email to an external address
- Filters that auto-delete security notifications so you never see the alerts
- Delegates with full read access to your mailbox that you never approved
- OAuth appsgranted during a "quick sign-in" that have permanent mailbox access
- Inbox rulesthat redirect emails matching keywords like "invoice," "wire," or "payment"
None of these trigger your antivirus. None of them show up in your spam filter. None of them generate a security alert in Gmail or Outlook. They're configuration changes, not malware.
How the attack plays out
A typical BEC attack using forwarding rules follows this pattern:
- The attacker gains access to an employee's email account (often through a credential-stuffing attack using passwords leaked in a previous data breach).
- Within minutes, they create a forwarding rule that sends a copy of every incoming email to an address they control. In Gmail, this is a filter. In Microsoft 365, this is an inbox rule.
- They also create a second rule: any email from the organization's IT department or from Google/Microsoft security alerts gets automatically deleted or marked as read. This prevents the victim from seeing "new sign-in" notifications.
- The attacker then waits. They monitor the forwarded emails for days or weeks, learning the organization's communication patterns, billing cycles, and vendor relationships.
- When they spot a financial transaction in progress (a real estate closing, a vendor invoice, a wire transfer request), they strike. They send a spoofed email to the person handling the payment, requesting a change in banking details.
- The payment goes to the attacker's account. The forwarding rule is eventually discovered, but the money is gone.
The critical detail: step 2 takes less than 30 seconds. Steps 3 through 6 can take weeks. The forwarding rule is active the entire time, and nothing in the victim's security stack detects it.
Why traditional security tools miss this
The tools most businesses rely on are designed to inspect content: email bodies, attachments, URLs, sender reputation. They're looking at what comes into your inbox.
Forwarding rules, delegates, and OAuth apps are configuration settings. They exist in your account's infrastructure, not in any specific email. They don't contain malicious code. They don't match virus signatures. They're invisible to content-based scanning.
This creates a gap:
| Tool | What it checks | Catches forwarding rules? |
|---|---|---|
| Antivirus | Files, attachments, executables | No |
| Spam filter | Email content, sender reputation | No |
| Phishing protection | URLs, login pages | No |
| Firewall | Network traffic | No |
| SIEM | Log aggregation (if configured) | Sometimes |
| Email configuration audit | Settings, rules, delegates, OAuth apps | Yes |
The last row is what InboxWatch does. It's a different category of check, one that examines the plumbing of your email account rather than the water flowing through it.
What you should check right now
If you use Gmail:
- Go to Settings > Forwarding and POP/IMAP. Is forwarding enabled? Do you recognize the address?
- Go to Settings > Filters and Blocked Addresses. Review each filter. Does any forward to an address you don't recognize? Does any auto-delete emails?
- Go to Settings > Accounts > Grant access. Are there delegates you didn't add?
If you use Microsoft 365:
- Go to Settings > Mail > Rules. Review each rule. Does any forward or redirect to an external address?
- Go to Settings > Mail > Forwarding. Is auto-forwarding enabled?
- Check Settings > Mail > Shared mailboxes for unexpected access grants.
If you manage more than a few accounts, doing this manually for each one every week is not realistic. That's the problem InboxWatch solves: it runs 100 security checks across your Gmail and Microsoft 365 accounts automatically, every 30 minutes, and alerts you when something changes.
Check your accounts for free
InboxWatch scans for hidden forwarding rules, unauthorized delegates, suspicious OAuth apps, and more. Takes about 60 seconds. We only access metadata, never your email content.
Scan My Email Now15 free scans · No credit card · $0.10/scan after
Written by Nicholas Papadam, founder of InboxWatch. Senior Analyst with 6+ years in enterprise security operations.