Inbox Rules: The Email Attack Most SMBs Don’t See Until the Money Is Gone
I work with small and mid-sized businesses every week.
And when email fraud happens, the question I hear most is:
“How did we not see this coming? ((NIST), n.d.)”
The honest answer? Because the attacker didn’t break anything.
They hid it.
One of the most common and costly email attacks I see today uses something that is already in every mailbox:
Inbox rules.
Why This Attack Works So Well in SMBs
Inbox rules are normal.
They’re trusted.
They don’t trigger alarms.
That makes them perfect for attackers.
Once someone gets access to a mailbox, even for a short time, they can create rules that:
- Hide security alerts
- Delete invoice emails
- Forward conversations to an external address
- Mark messages as “read” so no one gets suspicious
The inbox looks clean. The business is already compromised.
What This Looks Like in the Real World
Here’s a real pattern we see in SMB environments:
- A user clicks a phishing email or approves an MFA prompt.
- The attacker logs in once.
- Inbox rules are created.
- The attacker disappears.
Days or weeks later:
- A fake invoice is paid
- A vendor’s (ANNUAL CYBER THREAT UPDATE 2024, n.d.)s banking info is changed
- Payroll details are redirected
By the time IT is called, the damage is already done.
Why Password Resets Don’t Fix This
This is the part that surprises most business owners.
Resetting the password does not remove inbox rules.
I’ve seen:
- Passwords changed
- MFA enabled
- Accounts “secured”
All the while, the attacker’s inbox rules stayed active.
If inbox rules aren’t reviewed, the breach isn’t over.
Why Security Tools Often Miss This
Even companies with:
- MFA
- Email filtering
- Security awareness training
They still get hit.
Why?
Because inbox rules look like normal user behavior.
They’re rarely audited.
And in many environments, no one is watching for them.
Security tools focus on stopping attacks at the door.
Attackers use inbox rules once they are inside.
The Business Impact We Actually See
Inbox rule abuse leads directly to:
- Wire fraud
- Vendor payment scams
- Stolen sensitive emails
- Long-term financial exposure
- Loss of trust with customers and partners
This is not just a theoretical risk.
This is real money being stolen from real businesses. (Business Email Compromise Statistics: ZipDo Education Reports 2025, 2025)
What We Recommend as MSPs
If you want to reduce real-world email fraud risk, these are non-negotiable:
1. Inbox Rule Reviews
Especially for:
- Executives
- Finance teams
- Shared mailboxes
2. External Forwarding Controls
External email forwarding should be:
- Disabled by default
- Approved when required
- Logged and reviewed regularly
3. Post-Incident Cleanup Done Properly
When an account is compromised:
- Reset passwords
- Revoke sessions
- Review and remove inbox rules
- Check the mailbox forwarding
Skipping this step leaves the door open.
Final Thought from an MSP Owner
Most email attacks don’t succeed because businesses ignore security.
They succeed because attackers use features no one is watching.
Inbox rules don’t look dangerous.
Until they are.
If your security strategy does not include monitoring mailbox rules, you are leaving your finances up to chance.
And luck is not a security control.
Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.
References
(NIST), N. I. (n.d.). SMALL BUSINESS CYBERSECURITY CASE STUDY SERIES. https://www.nist.gov/system/files/documents/2020/09/30/Cybersecurity-Case-5.pdf
(n.d.). ANNUAL CYBER THREAT UPDATE 2024. https://csc.gov.im/media/uopmvruo/threat-update-year-2024-final.pdf
(2025). Business Email Compromise Statistics: ZipDo Education Reports 2025. ZipDo Education. https://zipdo.co/business-email-compromise-statistics/