Security8 min read

The Hidden Danger of Email Auto-Forwarding: How Hackers Abuse It and How to Check Your Rules

A forwarding rule silently set up by an attacker in your email account will copy every message you receive to an address you do not control — indefinitely, invisibly, and often long after a breach is otherwise resolved. Here is how to find and remove malicious forwarding rules.

By Achyuth Kumar · Founder, TempMailKit

Published · Last reviewed by the TempMailKit editorial team

Of all the ways a compromised email account can be abused, auto-forwarding is one of the most dangerous and least visible. When an attacker gains access to your inbox, one of the first things an experienced one does is set up a silent forwarding rule that copies every incoming message to an external address. After that, even if you recover the account, change the password, and believe everything is clean, the attacker is still reading every email you receive in near real time. Password reset codes, bank statements, two-factor authentication backup codes, confidential correspondence — all of it is streaming to an address the attacker controls, invisibly, until you find and delete the rule.

This guide explains why email forwarding is so powerful as an attack tool, how to find malicious forwarding rules in Gmail, Outlook, and other major clients, what business email compromise looks like, and the habits that prevent an attacker from setting up forwarding in the first place. This is a topic worth understanding even if you have never noticed anything suspicious, because the defining characteristic of a well-set-up forwarding rule is that you will not notice anything at all.

Why Forwarding Rules Are an Attacker's Favourite Persistence Mechanism

Persistence is the term security researchers use for an attacker's ability to maintain access to a system even after the initial point of entry is closed. In email attacks, forwarding rules are the ideal persistence mechanism because they survive password changes. Changing your password ends the attacker's ability to log in to the account, but if they have already created a forwarding rule, that rule continues to function independently of whether they can authenticate. The rule lives in your account settings, not in their session, so resetting credentials does not remove it.

Forwarding rules are also invisible to casual inspection. Your inbox looks normal. Messages arrive as usual. Nothing in the experience of using your email tells you that a copy of every message is also going somewhere else. Unless you specifically navigate to your account's filter and forwarding settings and check them, the rule operates silently for as long as it exists. Attackers who know this take advantage of the fact that most users never look at their forwarding settings except when they deliberately set one up.

How Attackers Get Into Your Account to Set the Rule

The initial access that lets an attacker set a forwarding rule comes from several routes, all familiar from broader account security discussions. Credential stuffing — using email and password combinations leaked in data breaches to try logging in to new accounts — is one of the most common. If you have reused a password from a breached service on your email account, an attacker with that breach dump has a working combination. Phishing is another route: a convincing fake login page captures your credentials and the attacker uses them to log in, often within minutes of you entering them. Malware that reads keystrokes or browser stored passwords can also deliver credentials directly.

Once in, the attacker's goal before doing anything else is to establish persistence. Setting a forwarding rule takes seconds and leaves no visible trace in your inbox. Many attackers also set up filters to automatically hide or delete emails from the mail provider's own security team — notifications about new sign-ins from unusual locations, or alerts about new forwarding rules being configured — so that even the security warnings that should tip you off are silently removed. This is why checking forwarding rules is so important even when you think your account looks normal: the attacker may have already hidden the evidence of their presence. The basics of credential security that prevent initial access are in our guide to strong passwords and two-factor authentication explained.

Business Email Compromise: The Corporate Version

Business email compromise (BEC) is a category of attack where the goal is financial fraud via email, and forwarding rules are central to how it works. In a typical BEC scenario, an attacker gains access to a finance team employee's email account and sets a forwarding rule so they can monitor all incoming mail. They read the correspondence for weeks, understanding the company's payment processes, supplier relationships, invoice formats, and the language the legitimate employee uses. Then they either use the compromised account directly or create a convincing impersonation to contact the accounts payable team or a supplier with fraudulent payment instructions — typically a change to banking details for an upcoming invoice. Because the request looks entirely authentic (it comes from the right domain, uses the right names and language, and references real context from the actual emails), it often succeeds before anyone realises something is wrong.

BEC losses run into billions of dollars annually and the core enabling factor in many cases is an undetected forwarding rule that gave the attacker months of visibility into internal email. Organisations that actively monitor their email environments for new forwarding rules — through security information and event management (SIEM) systems or regular manual audits — catch these attacks far earlier. For individuals, the equivalent is the habit we describe below: periodically checking your own forwarding settings.

How to Find and Remove Malicious Forwarding Rules in Gmail

In Gmail, navigate to Settings by clicking the gear icon, then "See all settings." Go to the "Forwarding and POP/IMAP" tab. Under "Forwarding," the page shows any forwarding address currently configured and whether forwarding is enabled. If you see any address you did not set up, click "Remove" next to it immediately. Also check the "Filters and Blocked Addresses" tab for any filter that might be automatically deleting or marking security emails from Google as read or sending them to trash, which would hide the forwarding notification Google sends when a new forwarding address is added. Look for any filter you do not recognise, particularly any that acts on messages from no-reply@accounts.google.com or google.com addresses.

Gmail also provides a security-events page: scroll to the very bottom of your inbox and look for a small "Last account activity" link or click "Manage your Google Account," then "Security," then "Recent security activity." This shows recent sign-ins with location and device information, and recent security events including when forwarding was configured. Any sign-in you do not recognise is a signal that an attacker accessed the account.

How to Check Forwarding in Outlook and Microsoft 365

In Outlook on the web (outlook.com or Microsoft 365 webmail), go to Settings (the gear icon), then "View all Outlook settings," then Mail → Forwarding. The page shows whether forwarding is enabled and to what address. If there is an unfamiliar forwarding address, disable forwarding and delete it. Also check Settings → Mail → Rules for any inbox rules that move, delete, or forward messages based on conditions you did not set. Pay particular attention to rules that forward to external addresses or that delete messages from Microsoft's security team. In a Microsoft 365 enterprise environment, administrators can check for forwarding rules across all accounts via the Security and Compliance Center or via PowerShell using the Get-InboxRule cmdlet.

Microsoft 365 administrators also have the option to block external email forwarding at the organisation level through an outbound spam policy that prevents auto-forwarding to external domains, which is considered a security best practice and is now enforced by default in many M365 configurations. Individual users of work accounts should check with their IT department whether this policy is in place.

What to Do If You Find an Unauthorised Forwarding Rule

Delete the rule immediately. Then change your password to a new, strong, unique one. Enable two-factor authentication if it is not already active. Check your account's recent login history for sign-ins you do not recognise — note the dates, times, and IP addresses or locations for any you did not make. Review your sent folder for any messages you did not send. Check whether your account information (recovery email, phone number) has been changed by the attacker; restore it if so. Consider whether any sensitive information that arrived in your inbox during the period the forwarding rule was active has been exposed, and take appropriate action on the accounts or relationships those emails concerned.

If you use your email address for work, report the incident to your IT or security team. If you believe fraud was committed using information from the forwarded emails, report it to relevant authorities and to the affected financial institutions. The forwarding rule removal is the beginning of the response, not the end. We cover the broader account recovery process in what to do after a data breach.

Prevention: Making Forwarding Rules Impossible to Set Silently

Two-factor authentication is the most important prevention measure because it blocks the initial account access that lets an attacker set a forwarding rule in the first place. Without the ability to log in, there is no ability to configure anything. With 2FA active and a strong unique password, the scenarios where an attacker can reach your account settings are dramatically narrowed. Keep a strong, unique password on your email account — never one reused from another service — and prioritise email-account 2FA above all other accounts, since your email is the recovery route for almost everything else you own online.

Make it a habit to review your forwarding and filter settings once every few months, the same way you review connected apps or authorised devices. It takes less than a minute. Additionally, set your security settings to notify you of any change to your forwarding configuration — Gmail does this by default, sending an email to your account when a new forwarding address is added, but that notification is only useful if you actually see it rather than having it filtered away by a rule the attacker also set. Keeping your security notification address distinct from your primary reading flow, and checking it specifically, provides a reliable signal for detecting forwarding rule creation.

The Short Version

Email auto-forwarding rules set by an attacker are one of the stealthiest and most effective persistence mechanisms in account compromise: they survive password changes, operate invisibly, and continue copying everything you receive until you specifically find and delete them. Attackers set them within seconds of gaining initial access, often alongside filters that hide the security notification your provider sends. The correct response to a suspected compromise is to immediately check forwarding settings (not just change the password), look for any unrecognised rules and delete them, review recent sign-in history, and enable two-factor authentication if not already active. Preventing initial access through strong unique passwords and 2FA is the most effective long-term measure, supplemented by a periodic habit of reviewing forwarding and filter settings even when you think everything is fine.

Frequently Asked Questions

How do I know if someone has set a forwarding rule on my email?

Navigate directly to your email settings and check the forwarding section: in Gmail, Settings → "Forwarding and POP/IMAP"; in Outlook on the web, Settings → Mail → Forwarding. Any address you did not personally configure is suspicious and should be removed immediately. Also check your inbox rules or filters for any that automatically delete, mark as read, or forward messages you might not otherwise notice. Most providers also send a notification email when a new forwarding address is added, so check whether any such notification arrived and was then automatically filtered away.

Does changing my password remove a forwarding rule?

No. Forwarding rules live in your account settings, not in the attacker's session. Changing your password ends the attacker's ability to log in, but does not affect any rules or filters that were already configured during their access. After any account compromise, you must explicitly navigate to the forwarding and rules settings and delete anything you did not set up, in addition to changing the password and enabling two-factor authentication.

Can two-factor authentication prevent this?

Yes, if it is in place before the attack begins. Two-factor authentication prevents an attacker from logging in even if they have your password, which prevents them from reaching the settings page where they would set up forwarding. It is the most effective preventive measure. If an attacker accessed your account before you enabled 2FA, enabling it afterwards does not undo any forwarding rules that were already set but does prevent future access. That is why the response to a discovered compromise must include both enabling 2FA and explicitly checking and cleaning forwarding settings.

Is email forwarding to external addresses allowed by mail providers?

Gmail, Outlook, and most consumer mail providers permit users to configure forwarding to external addresses. Some corporate Microsoft 365 deployments block external forwarding through an outbound spam policy as a security measure, which is increasingly common and considered best practice. If you use a work email account on Microsoft 365, your IT department may have disabled external auto-forwarding at the policy level, making it impossible for attackers to set such rules even if they access the account — check with your IT team whether this protection is in place.

Achyuth Kumar

Founder & editor, TempMailKit

Achyuth builds privacy tools and writes TempMailKit’s guides on email security, spam, and online privacy. Every article is checked against primary sources and our editorial policy before it is published. Questions or a correction? Get in touch.

Ready to protect your inbox?

Generate a free temporary email address in one click. No sign-up required.

Get a Free Temp Email