If your email account ever shows a suspicious login, an unexpected password reset, or messages being marked as read when you did not open them, there is one quiet setting worth checking straight away: forwarding rules.
Attackers do not always want to make noise. Sometimes they create a rule that silently forwards copies of selected emails to another mailbox. That can include invoices, password reset messages, replies from clients, or internal approvals. Microsoft documents suspicious inbox forwarding rules as a real sign of mailbox abuse, and CISA's email security guidance is a good reminder that email remains one of the easiest ways for attackers to gain business visibility.
What forwarding rules do
Rules can be useful. They can move messages into folders, flag important senders, or send mail to another approved address. The problem is that the same feature can be abused if someone gets into your account.
A bad rule may forward all incoming mail, or only the messages a criminal cares about. That makes it hard to spot, especially in a busy office.
A five-minute check for staff
- Open your mailbox settings and review any forwarding addresses or inbox rules.
- Remove anything you do not recognise, especially rules that forward, redirect, delete, or hide messages.
- Change your password immediately if anything looks wrong.
- Make sure multi-factor authentication is turned on and that the registered phone or app still belongs to you.
- Tell your IT provider or internal IT contact so they can review recent sign-ins and related security activity.
What managers should ask for
If your business uses Microsoft 365 or another hosted email platform, ask for a quick check on three things after any suspicious email event:
- unexpected forwarding rules or mailbox delegates
- recent sign-ins from unusual locations, devices, or times
- whether any sensitive messages may already have been forwarded out
This is not about panic. It is about closing one of the quieter gaps attackers use to stay informed after a mailbox is compromised.
For small and medium-sized businesses in Trinidad and Tobago, this matters because email is where payments, approvals, customer communication, and password resets all meet. A quick rule check can stop a compromise from becoming a much bigger business problem.