Check Your Email Rules for Maliciousness
by: Roger Grimes | KnowBe4, Inc.

"Email rules have been used maliciously for decades. Learn about email rules and what you need to do to defend your organization against their malicious misuse. Attackers have always been adept at using legitimate automation tools and features against us. The time-worn programmer’s credo, “Why do something manually when you can automate it?” apparently applies to malware writers as well. Automating maliciousness makes it more effective in terms of both success, lower cost, and it makes the attacker far less likely to be caught.


For decades, phishers and other attackers have used email automation functionality, such as rules, scripts, add-ons, templates, and configuration settings, against their victims. Microsoft Outlook, arguably the most popular and feature-rich email client out there, has long been abused, but Gmail, Mozilla Thunderbird, and other email clients have also been targeted by the bad guys, but to a far lesser extent. Most of the popular email clients offer rules. In Outlook and many other email clients, they are called rules. In Gmail, they are known as filters and have less functionality, but Gmail also has templates and add-ons that can be every bit as feature-rich as Outlook rules. Mozilla Thunderbird has add-on, extensions, and templates. Apple Mail has rules that can be tied to AppleScripts. In general, if there is a popular email client, there is a way to add automated personalized email handling, and there are hackers willing to abuse it.


Depending on the email client and server, these automation features can be enabled locally, follow the email client, or be applied on the server or in the cloud. Where the automation is enabled is important, especially when trying to look for that automation, and when determining which steps users can take to prevent, detect, and eradicate malicious actions. There are even ways to “hide” rules to make it harder for defenders to detect maliciousness. Many email items, like rules, “travel” with the email client, meaning that even if you change your passwords or get a new device, any malicious modifications may still be there. Over the years I’ve often gotten calls from people who know they have been exploited by a hacker who has taken over their email account. And they change their passwords, scan their systems, and even have gotten new devices in order to stop the attacker, but the attacker is still persistently abusing their system and email. They always wonder, how is the hacker doing it? I tell them, check your email rules. Although it can be something else besides rules (i.e., templates, add-ons, etc.).


The problem with the malicious misuse of email automation is that most email users and only a small percentage of email administrators and computer defenders know about the problem, and only a small subset of those individuals actually do something to proactively defend against it. Malicious email automation is almost never detected by anti-malware software and vulnerability scanners. When was the last time your anti-malware program or vulnerability scanner warned you about a potentially malicious email rule, add-in, or template? I think I’m hearing the virtual echoes of silence.

Creating an Email Rule


Of course, all that email automation wasn’t meant to be maliciously misused. It was intended to make everyone’s life easier. It was created so we could better and more easily organize our inboxes, handle particular emails a certain way, and, in general, to make us all more productive. Rules are probably the most common automation feature set used by email users."


How you create an email rule varies according to the email application you are using. Most people use Microsoft Outlook as their email application client. To learn how to manage Outlook email messages by using rules, you can click the following link to the Microsoft support article and follow the instructions:


If you need further help working with email rules in any email application such as Outlook, Gmail, Apple Mail or Mozilla Thunderbird, feel free to call InfoTank through your normal support channels. If you are in need of a technical support company for your home or business, we would love to speak with you. Give us a call at 770.924.7309 or email us at


We look forward to seeing how we can help you!