There was a time I walked into a small law office—not much more than twenty users, all Outlook and Word and anxiety—and within 45 minutes of poking around, I found a "lurker."
Not a virus. Not ransomware. Not a screaming, blinking alert.
No. A real, persistent, quiet threat actor sitting in one paralegal’s inbox.
Just reading. Just watching.
And they had been there for four months.
Image Copyright: Nicolas Herrbach/iStock/Getty
This Is More Common Than You Think
We like to think of cybersecurity breaches as explosions. Something loud, noisy, fast.
But that’s not how it works most of the time.
Most real-world breaches are quiet. Patient. And they rely on one key thing: you won’t notice.
- They’ll sit in your systems. In your logs. In your inboxes. In your shared drives. Sometimes even your backups.
- They’re not trying to break things.
- They’re trying to own you.
When I Started Hunting
Back when I worked MSP gigs across Northwest Arkansas, I started noticing a pattern. Small professional service firms—law offices, dental practices, CPAs—they had no SIEM, no EDR, no threat models.
Their security posture was a Windows Defender tray icon and a hope.
And what I started finding? Static-looking Outlook inboxes with weird rules set up. Exfil rules. Forwarding rules. Some disguised as spam filters. Some that only triggered on certain keywords.
No AV caught it. No firewall tripped. But the patterns were there—like ghost fingerprints.
In one case, a cybercriminal had quietly siphoned every court-related email for months. They weren’t trying to steal money. They were building a map of court calendars, client info, internal staff schedules, and legal strategy.
And the company had no clue.
# Requires: MSGraph authentication token (use MSAL or Azure CLI), Mail.Read permissions
# Detects auto-forwarding rules that match common exfil patterns
$tenantId = "<your-tenant-id>"
$token = (az account get-access-token --resource https://graph.microsoft.com --query accessToken -o tsv)
$headers = @{
Authorization = "Bearer $token"
"Content-Type" = "application/json"
}
# Target high-risk users first (e.g., paralegals, HR, finance)
$userList = @("user1@domain.com", "user2@domain.com")
foreach ($user in $userList) {
$rulesUrl = "https://graph.microsoft.com/v1.0/users/$user/mailFolders/inbox/messageRules"
$rules = Invoke-RestMethod -Uri $rulesUrl -Headers $headers -Method Get
foreach ($rule in $rules.value) {
if ($rule.actions.forwardTo -or $rule.actions.redirectTo) {
Write-Host "Suspicious rule found in $user"
Write-Host "Rule Name: $($rule.displayName)"
Write-Host "Forwarding To: $($rule.actions.forwardTo | foreach { $_.emailAddress.address })"
# Optional: Disable the rule
$disableUrl = "https://graph.microsoft.com/v1.0/users/$user/mailFolders/inbox/messageRules/$($rule.id)"
$body = @{ "isEnabled" = $false } | ConvertTo-Json
Invoke-RestMethod -Uri $disableUrl -Headers $headers -Method Patch -Body $body
Write-Host "Disabled rule: $($rule.displayName)"
}
}
}
- What This Snippet Does Connects to Microsoft Graph API to enumerate Inbox rules
Identifies rules with forwardTo or redirectTo actions (often used for exfiltration)
Logs suspicious rules and can optionally disable them automatically
- Why This Matters These rules are silent, persistent, and often ignored by AV/EDR.
In many of the attacks I’ve investigated, this was the only foothold the attacker needed to maintain access for months.
Why You Probably Already Have Someone Inside Your Network
Let me spell it out: If you don’t have continuous monitoring and threat hunting in place, you are probably compromised.
Here’s why:
- Dwell time (the time between breach and detection) in mid-sized companies often exceeds 200 days.
- Attackers don’t need admin creds. They need persistence. A user mailbox. A shared folder. An unused VPN.
- Unless you're actively hunting for them, they’ll remain invisible.
They'll wait until the tax season. Or court filing day. Or invoice runs.
Then they strike.
What Threats Look Like in the Real World
They don’t come with red skulls and alert banners. They look like:
- An inbox rule that silently forwards emails to a Gmail account in Taiwan.
- An Azure app registration used to create an OAuth token that never expires.
- A suspicious
powershell.exerunning as SYSTEM on a backup appliance—at 2am on a Sunday. - A service account that hasn’t had a password rotation since 2019.
These are the real-world TTPs (tactics, techniques, and procedures). And they’re effective precisely because they’re mundane.
You Need Eyes—Real Ones
SIEMs like Splunk or Microsoft Sentinel are game changers. But not for the reasons you think.
They don’t stop breaches. They let you see.
With the right tuning, you start noticing:
- Why is this user logging in from New Jersey and Arkansas in the same hour?
- Why is
svchost.execalling out to a known malicious IP in Russia? - Why are Office365 mail items being moved to archive without being read?
More importantly: they give you history. The past. The dwell time.
You get to build a timeline. A map. A root cause analysis.
Because cleaning up a breach is like cleaning up after a raccoon: you don’t just want to fix the broken door—you want to know how long it's been in your attic and what it touched.
Detection Is Not Enough
Even when you find the threat, getting rid of it is harder than it looks.
I’ve had attackers reinstall themselves after I kicked them out. I’ve had OAuth tokens persist after user accounts were deleted. I’ve had mailboxes reinfected by sync settings from mobile clients no one thought to check.
EDR tools (CrowdStrike, SentinelOne, Defender ATP) help, but only if you pair them with a trained eye and proactive hunting.
Set traps. Build honey tokens. Rotate logs. Inspect your own blind spots.
And know this: attackers don’t need a new CVE. They’ll use what’s already available—like a 6-month-old Outlook rule in a paralegal’s mailbox.
My Takeaway After a Decade of Doing This
- You don’t secure a business by installing antivirus.
- You secure it by doubting your assumptions.
- You secure it by looking at every alert and asking: “What am I missing?”
- You secure it by assuming someone’s already in—and building systems that
can prove you wrong.
Because if you’re not actively threat hunting, you’re not just vulnerable.
You’re compromised. You just don’t know it yet.
Top comments (0)