The FBI’s 2023 Internet Crime Report logged $2.9 billion in business email compromise losses. That’s the line that gets quoted. What doesn’t get quoted is the mechanism. Almost all of that loss runs through a tiny, boring piece of Microsoft Outlook called an inbox rule.
A rule is a filter your mailbox runs automatically. Most people use them to sort newsletters into a folder, or flag anything from the boss. Attackers use them differently.
Picture a CPA firm in early April. A bookkeeper clicks a real-looking link in an email she thinks is from a client’s portal. She types her password into what looks exactly like the Microsoft login page. A minute later she’s back at work. Nothing seems wrong.
Somewhere in Eastern Europe, a script running in a browser logs into her mailbox. Inside of two minutes it has created three rules.
The first rule forwards every incoming email to an external address. The second rule moves every message containing the word “phishing,” “suspicious,” “fraud,” “scam,” or “compromise” directly to the RSS Feeds folder. Nobody looks in the RSS Feeds folder. The third rule does the same for any message from the firm’s IT provider. If IT sends a warning, she never sees it. If she notices something weird and emails IT, their reply disappears into the same folder.
Now the attacker has a quiet, real-time copy of her inbox and a way to make sure nobody can warn her. They read for three weeks.
What they learn before they do anything
This is the part that surprises people. The attacker isn’t in a rush. They’re reading.
They learn that this bookkeeper handles wire instructions for half the firm’s clients. They learn how she signs her emails. They learn which clients are mid-transaction during tax season. They learn that one particular client has a quarterly estimated tax payment scheduled for next Tuesday, and the client and the firm have already exchanged three emails about the amount. The payment is going to be substantial. Real money, specific date, warm email thread.
This is exactly the pattern Krebs on Security has been documenting for years and what the FBI flags as the most dangerous variant of BEC. The attacker isn’t sending a “CEO wire request” email out of nowhere. They’re inserting themselves into a real conversation about real money at the moment of payment.
On Monday afternoon, a reply arrives in the client’s inbox, from the bookkeeper’s actual email address. The thread history is intact. The subject line is the same. The message says the firm has updated its banking partner and gives new wire instructions. The client wires the money. It’s gone within ten minutes.
The firm finds out on Wednesday when the client calls about something unrelated and mentions that they made the wire. The bookkeeper says “what wire?” That’s the moment where everyone realizes.
What would have caught this
MFA on the account would have stopped the initial login. That’s the obvious one, and if you’re still running Microsoft 365 without MFA on every mailbox in 2026, nothing else in this post is going to help you.
But MFA by itself isn’t the whole answer here. The rules are. Because even with MFA, attackers still get in sometimes. The question is whether they can stay undetected once they do.
Your IT provider should be alerting on two things, same day, every day. First, any new inbox rule that forwards mail to an external address. Second, any new inbox rule that deletes, archives, or hides messages based on words like “phishing,” “fraud,” or the name of your IT provider. Both of these are built into Microsoft 365 as audit events. They just have to be watched.
Some firms go further and block the ability to auto-forward to external domains entirely, which is a setting in Exchange Online. If nobody in your firm has a legitimate reason to auto-forward email outside the organization, turning that off removes the attacker’s favorite tool.
And one more thing that isn’t technical. Every wire instruction, changed wire instruction, or new bank account number gets verified by phone. Not by email. Not by reply-email. By calling the known number for the client and asking. Yes, it’s annoying. It’s less annoying than a $200,000 wire going to Latvia.
The Oregon State Bar has written about this exact scenario playing out at a law firm. The scenarios are all the same. The profession changes. The mechanism doesn’t.
A compromised mailbox that nobody’s monitoring is a camera that runs for weeks. The attacker watches, waits for a good moment, and then the money leaves. The only way to shorten that window is to watch for the rules the way the attackers use them.