The article presumes the reader is familiar with "malicious inbox rules" and doesn't elaborate or link to further info on it. From what I can find online it seems to be a scenario where an email account has already been compromised somehow and the malicious actor sets up inbox rules to e.g. auto-forward emails to another attacker-controlled email. I assume the intent is to effectively gain access to emails like 2FA and password recovery in the event the target changes their email account password.