Recently, we assisted a client who believed important emails were missing. They searched their Inbox, Deleted Items, and even Recoverable Items, but nothing appeared unusual. After deeper review, we discovered the emails were not deleted at all. They were being automatically moved to the Archive folder through a hidden mailbox rule the user did not create.

In this week’s Tech Tip Tuesday, we’re explaining how hidden email rules are used in account compromise, why attackers use this tactic, what warning signs to look for, and how businesses can protect themselves before financial or data damage occurs.

How This Tactic Works

When attackers gain access to an email account, they rarely make obvious changes. Locking someone out would immediately raise suspicion.

Instead, they quietly create inbox rules that automatically move or hide certain messages. Emails related to invoices, payroll, wire transfers, or security alerts may be redirected to Archive, Deleted Items, or forwarded to an external address.

The user continues working as normal, unaware that specific conversations are being concealed. Meanwhile, the attacker monitors communications or attempts to manipulate financial instructions.

This tactic is commonly used in Business Email Compromise schemes involving vendor fraud, payroll diversion, and invoice manipulation. In many cases, the hidden rule is the only early indicator of unauthorized access.

Why This Is So Concerning

Email is often the operational center of a business. It contains contracts, client records, payment instructions, and password reset links for other systems. If someone gains silent access to email and can also hide messages, they can significantly reduce the chance of being detected. By the time missing emails are noticed, damage may already have occurred. The absence of messages is often mistaken for a technical issue rather than a security issue.

What We Did to Secure the Account

Once the hidden rule was identified, we removed it and began a full review of the mailbox. We examined all visible and hidden rules, checked for unauthorized forwarding addresses, reviewed recent login activity, and confirmed no unfamiliar devices were connected. The account password was reset, and Multi-Factor Authentication was enforced. When this type of activity is discovered, it is critical to treat it as a potential compromise and investigate thoroughly.

How Businesses Can Reduce This Risk

The most effective protection is proactive visibility.

Mailbox rules should be reviewed on a routine basis, not only after a problem appears. Using Outlook Web or the Exchange Admin Center allows administrators to inspect rules more thoroughly than desktop applications alone.
Multi-Factor Authentication should be required for all accounts. Even if a password is exposed, MFA can prevent attackers from gaining access.
Legacy authentication methods such as POP, IMAP, and Basic Authentication should be disabled if not required, as they are frequent entry points for attackers.
Mailbox auditing should also be enabled to track rule creation, forwarding changes, and large deletion events. Alerts for suspicious logins, such as impossible travel activity, can provide early warning before financial loss occurs.
Finally, automatic forwarding to external email addresses should be tightly controlled and regularly reviewed.

The Bottom Line

If emails appear to be missing, it may not be a glitch. Hidden mailbox rules are a common tactic used to conceal fraud and maintain unauthorized access. Email security is not just about filtering spam. It requires visibility, layered protections, and periodic review.

If you would like a proactive review of your Microsoft 365 or email environment, we are here to help ensure your systems are configured correctly and protected before an incident occurs. Please feel to contact us at 818-501-2281 for more information.