A recent espionage campaign targeting North American research institutions demonstrated a technique that sits uneasily between endpoint compromise and network exfiltration: the abuse of email platform rules to copy messages to attacker-controlled accounts. The method is neither novel nor particularly sophisticated, yet it exposed a meaningful gap in how many organisations monitor their email infrastructure once an initial breach has occurred.
The Attack Chain: Credential Theft to Rules Abuse
The campaign began conventionally enough. Attackers compromised REDCap research servers—a widely used platform for managing clinical data—and extracted credentials from those systems. REDCap instances often sit in trusted network zones and connect to institutional email directories, making them an effective pivot point into higher-value targets.
Once inside a victim's Google Workspace environment, the threat actors took an approach that required minimal sophistication: they created email forwarding rules at the organisational level. Rather than downloading archives or exfiltrating via VPNs, they simply configured Gmail to automatically copy inbound and outbound messages to external email addresses under attacker control. The rules were set to run silently, leaving no obvious trace in a user's inbox.
This persistence mechanism worked because it operated at the API level, using credentials the attackers had already obtained. Detection required looking not at traffic patterns or firewall logs, but at the email platform's own administrative audit trails—a resource that many organisations audit inconsistently.
Why Rules-Based Exfiltration Succeeds
Email forwarding and filtering rules exist for legitimate purposes: auto-sorting, delegation, compliance workflows. When used by authorised users, they are invisible to network monitoring. They bypass data loss prevention (DLP) systems that inspect email traffic, because the email client itself is doing the forwarding—no external transfer occurs from the organisation's perspective.
The attackers maintained access for over a year without triggering alarms. During that time, they collected research data, defence communications, and institutional correspondence. The dwell time suggests that even after initial compromise, the organisation's incident response procedures did not include comprehensive review of email rule configurations across all accounts.
From an infrastructure perspective, this reveals a troubling assumption: that email security is primarily about perimeter defence—filtering, authentication, encryption in transit. It underestimates the risk posed by post-compromise persistence at the application layer.
Detection and Mitigation Gaps
Most email platforms log rule creation and modification, but these logs are often not integrated into centralised security information and event management (SIEM) systems. Even organisations with strong access controls may not query email platform audit logs as part of routine threat hunting. Google Workspace, Microsoft 365, and similar platforms generate vast amounts of administrative activity data, yet many operators treat this as a compliance record rather than a security signal.
To detect rules-based exfiltration, organisations need to:
- Monitor email rule creation and modification in real time, particularly rules that forward to external domains.
- Alert on unusual recipient patterns—especially external addresses that appear in multiple forwarding rules or belong to domains outside the organisation's trusted network.
- Enforce policies that require approval for rules forwarding to external addresses, or disable that capability entirely at the organisational level.
- Conduct regular audits of active rules, not just for individual users but at the system level.
The incident also underscores a broader lesson: once an attacker has valid credentials, they can operate almost invisibly if they use the organisation's own tools. Email rules, scheduled tasks, PowerShell commands, and API calls all leave logs, but those logs are often siloed in application-specific systems rather than aggregated for security analysis.
Implications for Infrastructure and Hosting Operators
For organisations managing their own email infrastructure or relying on hosted email services, the takeaway is clear: assume compromise will eventually occur, and design detective controls around application-layer persistence, not just network perimeter security.
If your infrastructure includes email systems—whether hosted or on-premises—consolidate audit logs from those systems into a centralised monitoring platform. Treat email rule configuration changes with the same scrutiny you would apply to firewall rules or access control lists. Define baseline rules for each user or organisational unit, and alert on any deviations.
The threat is not new, but it remains effective precisely because it is simple and because many organisations have not yet integrated email platform monitoring into their standard security operations. Addressing that gap requires neither expensive tools nor architectural changes—only the operational discipline to monitor what is already being logged.
