Gmail and Outlook Rules After Phishing: Where Attackers Hide Their Access

The sinking feeling that follows a successful phishing attack is a universal one. You realize you have clicked a malicious link, entered your credentials, and given an attacker the keys to your digital life. The immediate, instinctual response is to change your password. While this is a critical first step, it is dangerously incomplete. A password change can lock the front door, but sophisticated attackers are adept at creating hidden backdoors, allowing them to maintain persistent access to your email account long after you believe the threat has been neutralized. They are no longer knocking; they are already inside, silently observing, redirecting, and exploiting your most sensitive communications.

This silent persistence is where the real danger lies. An attacker with ongoing access can monitor your financial transactions, intercept invoices, steal proprietary business information, and use your trusted identity to launch further attacks against your contacts and colleagues. They achieve this not through brute force, but with subtlety, by manipulating the very features designed to make your email experience more convenient: rules, filters, and connected applications. This guide provides a comprehensive, practical checklist for both Gmail and Outlook users to systematically uncover and eliminate these hidden entry points, preserve evidence, and fully reclaim control of your compromised account. Following these steps will transform your response from a simple password reset into a thorough security overhaul.

Spis treści:

1. Initial Containment and Evidence Preservation
2. A Deep Dive into Your Gmail Account Settings
   • Checking Forwarding and POP/IMAP Settings
   • Auditing Filters and Blocked Addresses
   • Reviewing Third-Party App Access
3. A Deep Dive into Your Outlook Account Settings
   • Investigating Email Forwarding Rules
   • Scrutinizing Inbox and Sweep Rules
   • Managing Connected Apps and Devices
4. Final Security Steps and Proactive Measures

Initial Containment and Evidence Preservation

Before you begin deleting suspicious rules or revoking access, it is crucial to take a moment to preserve evidence and secure the immediate environment. Acting too quickly can alert the attacker and erase valuable information that could be used for a forensic investigation or to recover stolen assets. The goal of this initial phase is to stop the bleeding without destroying the crime scene.

Step 1: Preserve the Suspicious Message

The original phishing email is your primary piece of evidence. Do not delete it immediately. Instead, you need to isolate it safely. The methods vary slightly between platforms, but the principle is the same: save the message and its headers without interacting with its content.

• For Gmail Users: Select the phishing email without opening it. Click the three vertical dots (More menu) and select “Show original”. This will open a new tab with the full, raw source of the email, including the headers. You can copy this text into a plain text file or use the “Download original” option to save it as a .eml file. This file is safe to store and can be provided to security professionals.
• For Outlook Users: Open the phishing email in a new window by double-clicking it. Go to File > Properties. In the “Internet headers” section at the bottom of the dialog box, you will find the full message source. Copy all of the text from this box and paste it into a plain text file for safekeeping. Alternatively, you can save the email as a .msg file (File > Save As).

Once saved, you can move the email to your Spam or Junk folder to help the provider improve its filtering, but do not permanently delete it until your investigation is complete.

Step 2: Check Active Sessions and Force a Global Logout

Your next priority is to forcibly disconnect the attacker from all active sessions. Changing your password does not always terminate existing sessions, especially on mobile apps or with saved application tokens.

• In Gmail: Scroll to the bottom of your inbox page. In the bottom-right corner, you will see “Last account activity” with a “Details” link. Click on “Details”. A new window will appear showing all recent sessions, including their IP address, location, and access type (browser, mobile, etc.). Critically, at the top of this window, there is a button that says “Sign out all other web sessions”. Click it immediately.
• In Outlook/Microsoft Account: Navigate to your Microsoft Account security page (account.microsoft.com/security). Go to “Advanced security options”. Here you will find a section to “Sign me out”. This feature forces a sign-out on all devices, browsers, and apps within 24 hours.

This action ensures that even if the attacker has an active, authenticated session, it will be terminated, forcing them to re-authenticate with the new password you have set.

A Deep Dive into Your Gmail Account Settings

With immediate containment handled, it is time to perform a meticulous audit of your Gmail settings. Attackers exploit these features because they are powerful, often set up once and then forgotten, and can operate silently in the background. This is a common tactic that requires a deep understanding of modern cybersecurity threats to counteract effectively.

Checking Forwarding and POP/IMAP Settings

This is one of the most common and damaging backdoors. An attacker can set up a forwarding rule to send a copy of every single email you receive to an account they control. This gives them a real-time feed of your entire digital correspondence.

1. Navigate to Gmail Settings by clicking the gear icon in the top right and selecting “See all settings”.
2. Go to the “Forwarding and POP/IMAP” tab.
3. Look closely at the “Forwarding” section. It should be set to “Disable forwarding”. If it is enabled and pointing to an email address you do not recognize, you have found a backdoor. Select “Disable forwarding” and save your changes immediately. Be sure to take a screenshot of the unauthorized forwarding address before you remove it.
4. While here, also review the “POP Download” and “IMAP Access” sections. Unless you knowingly use a desktop email client like Thunderbird or Apple Mail, both of these should ideally be disabled. Attackers can enable them to download your entire mailbox history.

Auditing Filters and Blocked Addresses

Filters are more insidious than forwarding. An attacker can create highly specific rules to hide their tracks or target valuable information. For example, they can create a filter that automatically deletes security alerts from Google or moves any email containing the word “invoice” or “bank statement” to the trash, where you are unlikely to see it before it is exfiltrated.

1. In Gmail Settings, go to the “Filters and Blocked Addresses” tab.
2. Carefully review every single filter listed. Look for anything you do not remember creating.
3. Pay special attention to filters that perform actions like “Delete it”, “Mark as read”, “Skip the Inbox (Archive it)”, or “Forward to: [unrecognized email]”.
4. Attackers often use vague search criteria or target keywords like “security”, “alert”, “password”, “compromise”, “invoice”, “payment”, or “wire transfer”.
5. Delete any and all suspicious filters. Select the checkbox next to the filter and click the “Delete” button.

After a compromise, it is not enough to simply block the attacker; you must actively dismantle the infrastructure they have built within your own account. Every rule and filter is a potential tool for further exploitation.

Reviewing Third-Party App Access

Malicious third-party applications granted access via OAuth can retain access to your account even after a password change. These often disguise themselves as legitimate productivity tools, document scanners, or email organizers.

1. Go to your Google Account security settings (myaccount.google.com/security).
2. Scroll down to the “Your connections to third-party apps & services” panel.
3. Click to view all connections. You will see a list of every application and service that has some level of access to your Google account data.
4. Scrutinize this list carefully. If you see any app that you do not recognize, do not remember authorizing, or no longer use, click on it and select “Remove access”.
5. Pay close attention to apps that have a high level of permission, such as “Has full access to your Google Account” or “Read, compose, send, and permanently delete all your email from Gmail”.

Regularly auditing connected apps is a crucial part of digital hygiene and a core component of a robust personal security posture.

A Deep Dive into Your Outlook Account Settings

The principles for securing an Outlook.com, Hotmail, or Microsoft 365 account are similar to Gmail, but the settings are located in different places. Attackers are equally adept at manipulating the powerful rule-based automation within the Microsoft ecosystem.

Investigating Email Forwarding Rules

Just like in Gmail, unauthorized forwarding is a primary goal for an attacker looking to exfiltrate data from an Outlook account.

1. Log in to Outlook on the web. Click the gear icon (Settings) in the top-right corner.
2. Select “View all Outlook settings” at the bottom of the pane.
3. Go to Mail > Forwarding.
4. The “Enable forwarding” box should be unchecked. If it is checked and an unfamiliar email address is listed, your email is being compromised. Take a screenshot, uncheck the box, and click “Save”.
5. Some attackers may also enable the “Keep a copy of forwarded messages” option to reduce suspicion, so the presence of your emails in the inbox is not a guarantee that they are not also being sent elsewhere.

Scrutinizing Inbox and Sweep Rules

Outlook’s “Rules” are the equivalent of Gmail’s “Filters”. They are extremely powerful and a favorite hiding spot for malicious actors. They can be used to move emails from specific senders (like your bank) to obscure folders, mark them as read, and then delete them after a few days.

1. In the “View all Outlook settings” menu, navigate to Mail > Rules.
2. Examine every rule with extreme prejudice. Attackers often give rules innocuous names like “Cleanup” or “Organization” to avoid detection.
3. Look for any rule that moves messages to folders you did not create (check your folder list for strange new additions), forwards messages as attachments, or immediately deletes them.
4. Pay close attention to the conditions of the rule. Does it trigger on keywords like “password reset” or “security notification”? Does it apply to messages from your IT department or financial institutions?
5. Delete any suspicious rule by clicking the trash can icon next to it.
6. Also, check the “Sweep” tab next to “Rules”. Sweep rules are designed for bulk actions and can also be abused to silently remove important emails. Review and delete any you did not set up.

The complexity of these rules highlights the need for expert intervention in many cases. Navigating the aftermath of a breach requires specialized knowledge of attacker tactics, which is why professional security services are invaluable.

Managing Connected Apps and Devices

The process for reviewing app permissions in the Microsoft ecosystem is just as critical as it is for Google.

1. Navigate directly to your Microsoft Account’s consent page: account.live.com/consent/manage.
2. This page lists all the apps and services you’ve given permissions to.
3. Review the list for any applications you do not recognize or trust. Click “Edit” for any suspicious app.
4. On the next screen, you will see exactly what permissions the app has. If it seems excessive or if you do not know what the app is, click “Remove these permissions”.
5. Additionally, check your trusted devices at account.microsoft.com/devices. If you see any phones, tablets, or computers you do not recognize, remove them from your account immediately.

At Nexus Group, we understand the urgency and complexity of these situations. That is why we provide a guarantee of fund recovery or your money back, giving you peace of mind as we work to restore your digital security.

Final Security Steps and Proactive Measures

After you have meticulously cleaned your account of any unauthorized rules, filters, and applications, the final steps are to harden your account against future attacks.

First and foremost, enable Multi-Factor Authentication (MFA or 2FA). This is the single most effective step you can take to secure your account. It requires a second form of verification (like a code from an authenticator app on your phone) in addition to your password, making it exponentially more difficult for an attacker to gain access, even if they steal your password.

Second, perform a full security review of your account. Both Google and Microsoft provide a guided “Security Checkup” tool that walks you through your recovery information (phone number and email), recent activity, and connected devices. Ensure all recovery information is correct and belongs to you.

Finally, stay vigilant. Be suspicious of unsolicited emails, especially those that create a sense of urgency or ask for credentials. Understanding the tactics used by attackers is a key part of any effective cybersecurity strategy. If you have been the victim of a phishing attack that has led to financial loss or a significant data breach, it is often best to seek professional help. Experts can ensure every backdoor is closed, assist in evidence collection, and guide you through the recovery process.

Reclaiming your account after a phishing attack is more than just a password change. It is a methodical process of digital forensics. By following this checklist, you can move beyond a false sense of security and take decisive action to truly evict any intruders and fortify your defenses for the future. If you need assistance or a comprehensive security audit, do not hesitate to reach out to our team of experts.

Contact us