Check Point Email Security | Blog

The Automatic Forwarding Problem

Written by Jeremy Fuchs | December 14, 2022

We talk a lot about the limitations that come with API-based email security solutions. These detect and remediate solutions wait for an email to come into the inbox before determining if it is malicious or not. The time gap between the email entering the inbox and the service remediating it is where the danger lies.

But sometimes, the time gap doesn't even matter. Let's explain.

Many users set up mail flow rules. It can vary depending on the user, but here are some common ones:

  • Every time I get an email with a certain subject, forward it to ServiceNow
  • Every time I get an email from a certain user, forward it to Salesforce

This can be useful for many reasons, for ensuring deals are followed up on and service tickets aren't missed.

But just because an automatic forwarding rule is set up, it doesn't mean that these emails can't be malicious. 

So here's what can happen with an API-based solution. A malicious email comes from a sender whose emails automatically get sent to Salesforce. Even if the service remediates it in a millisecond, it will still get forwarded to Salesforce. So the email can still be interacted with in Salesforce.

We heard this from someone who uses an API-based competitor. They had an email that was remediated within a few minutes. But a case was created in Salesforce, where the malicious email sat, ready to be interacted on. As they mentioned, it effectively bypassed the API-based email security tool.

When you are remediating emails after they have reached the inbox, it doesn't matter if it takes one millisecond or eight hours. If you are not scanning emails before they reach the users, there's no telling what could happen.