When an account is compromised, attackers often create hidden rules to automatically delete, move, or forward incoming email. This can cause messages to disappear from the user’s inbox, even though mail flow is functioning normally. This article explains how to check for and remove suspicious rules and forwarding settings.
1. Why This Matters
Attackers use inbox rules to hide their activity and prevent users from seeing warnings or security notifications.
Forwarding rules may exfiltrate sensitive email to external addresses.
Even after resetting a password, these rules remain in place until they are manually removed.
2. Check Inbox Rules in Outlook on the Web
Sign in to Outlook on the Web.
Click the gear icon (⚙️) in the top-right corner and choose View all Outlook settings.
Go to Mail > Rules.
-
Review the list of rules:
Look for rules that delete, move, or forward messages automatically.
Pay special attention to rules targeting “all messages” or suspicious keywords (e.g., “Bank,” “Password,” “Invoice”).
Delete or disable any rules you do not recognize.
🔎 Example of suspicious rules:
“Delete all messages”
“Move messages from security@domain.com to RSS Feeds”
“Forward all mail to attacker@example.com”
3. Check Forwarding Settings in Outlook
In the same Outlook settings menu, go to Mail > Forwarding.
Verify if forwarding is enabled.
If you see mail being forwarded to an unknown external address, disable it and remove the address.
4. Check Rules in the Exchange Admin Center (Admin Only)
Administrators can confirm suspicious rules at the mailbox level.
Sign in to the Exchange Admin Center.
Navigate to Recipients > Mailboxes and select the affected user.
-
Under Mail settings, review:
Automatic forwarding
Delegate access
Remove any unauthorized or suspicious settings.
5. Use PowerShell to Inspect Rules
For deeper investigation, connect to Exchange Online PowerShell and run:
Get-InboxRule -Mailbox user@example.com | Format-List Name, Description, EnabledCheck for rules that delete, move, or forward messages without the user’s knowledge.
6. Next Steps After Cleanup
Reset the user’s password (if not already done).
Revoke any active sessions via Microsoft 365 Security & Compliance Center.
Run a message trace to confirm mail flow.
Educate the user to report suspicious activity.
Comments
0 comments
Please sign in to leave a comment.