A sophisticated espionage operation has highlighted a deceptively simple attack method: rather than fighting their way past email security controls, attackers quietly configured forwarding rules inside their victims' own Google Workspace accounts to copy every message to external addresses. The technique works because it exploits a feature designed for legitimate administrative use, making detection harder than traditional exfiltration attempts.
How the Attack Chain Worked
The operation, attributed to a China-linked group, spent over a year inside North American research networks targeting medical, academic, and defense organisations. Initial access came through a backdoor installed on REDCap servers—a widely used platform for clinical research data management. Once inside, attackers harvested credentials from the compromised research infrastructure and used them to access Google Workspace accounts belonging to researchers and administrative staff.
Rather than risk detection through bulk data downloads or suspicious email forwarding visible in logs, the attackers created or modified email rules within Workspace itself. These rules automatically copied incoming messages (and potentially sent mail) to attacker-controlled accounts. Because the rules existed within the legitimate administrative interface, they blended into normal account activity. From the perspective of routine log monitoring, the accounts appeared to be functioning normally.
The technique is effective precisely because email rules are a standard feature. Security teams expecting to see suspicious network traffic or external data transfers might miss rule-based exfiltration, especially if the rules were created during a window when legitimate administrative changes were occurring.
Why This Matters for Infrastructure Teams
This attack pattern reveals a gap between how organisations typically secure email platforms and how they secure the infrastructure feeding into them. Most security controls focus on external threats—blocking suspicious attachment types, filtering phishing, preventing unauthorised access from unfamiliar locations. The assumption is that once an attacker has valid credentials, standard email features should be safe to use.
That assumption breaks down when attackers have persistent, undetected access to upstream systems like research databases or internal servers. If an attacker can live quietly in your infrastructure for over a year, they have ample opportunity to enumerate user accounts, identify high-value targets, and then quietly pivot into email platforms using stolen credentials. At that point, they don't need malware in the email client or network-level interception—they can use the platform's own administrative features.
Infrastructure operators responsible for research platforms, healthcare systems, or any organisation handling sensitive correspondence need to recognise that email security is downstream security. A compromised server in your research network can become a launchpad for email account compromise.
Detection and Mitigation Layers
Organisations using Workspace (or similar platforms offering rule-based email management) should treat rule creation and modification as security events worthy of monitoring. This includes:
- Auditing email rules regularly, especially those forwarding or copying messages to external addresses or unusual internal accounts.
- Restricting who can create or modify email rules via Workspace administrative policies—not every user needs this capability.
- Correlating email rule changes with other account activity. A newly created rule combined with unusual login patterns or access to sensitive folders is a strong signal.
- Implementing conditional access policies that restrict rule creation from unfamiliar locations or devices, even if the credentials are valid.
But email platform hardening alone won't stop this attack. The underlying vulnerability is the compromised research server. Infrastructure teams need to treat internal systems—particularly those handling credentials or providing access to sensitive applications—with the same rigour as perimeter security. This means segmentation between research networks and enterprise email infrastructure, regular patching of research platforms, and intrusion detection at the network level sensitive enough to catch long-dwell exfiltration.
The REDCap backdoor that started this chain likely could have been detected or prevented with standard practices: patching, file integrity monitoring, and behavioural analysis of database access patterns. The attack succeeded because the infrastructure stayed compromised long enough for the attackers to map their environment and identify valuable targets.
The Broader Pattern
This incident reflects a shift in how sophisticated attackers approach sensitive networks. Rather than racing to exfiltrate data and vanish, they're operating for dwell time measured in months or years, using the victim's own tools and accounts to avoid detection. Research into this operation shows the attackers weren't trying to be stealthy about their presence once inside—they were stealthy about their exfiltration method.
For organisations running research infrastructure, healthcare platforms, or any systems that feed into email and collaboration tools, the lesson is clear: compromise of internal systems is compromise of everything downstream. Infrastructure security, in this context, includes the entire chain from database server to email platform. A gap anywhere in that chain gives attackers a foothold.
