How can mailbox rules be abused for ransomware persistence?
After compromising accounts, attackers create mailbox rules that: forward emails to attacker addresses, hide specific messages from victim view, or automatically delete security notifications. Rules provide persistent access and cover.
Ransomware relevance: rules can intercept recovery communications, hide password reset confirmations, or maintain access even after password changes. Persistence enables longer exploitation before detection.
Remediation: when recovering from compromise, audit and remove all mailbox rules. Check for: forwarding rules to unknown addresses, rules deleting specific messages, and rules moving messages to unexpected folders. Rules often survive password resets.
Was this answer helpful?
Thanks for your feedback!