Detect malicious mail rules

Attackers can use mail rules to covertly forward sensitive information out of your organisation. This initiative will help you see if anyone already has any of these malicious rules and help you manage, reduce, and maybe even completely remove this risk.

The problem

If an attacker has access to your mailbox, a common next step is to add a mail rule that forwards certain sensitive mails back to the attacker. The same rules you use to keep your inbox tidy by automatically moving mails from certain people or containing certain words into folders can also be used to forward mail out of the company.


Attackers like this technique because it sticks around, even after you change your password, and because it’s discreet; the rules are there if you look but people rarely do.


An attacker can add a rule if they get access to your account via a number of all-too-familiar scenarios - credential phishing, reused credentials, or the perhaps less familiar, “consent phishing”.

Typically a rule will match on generic, sensitive keywords like "invoice", "payment" or "bank" - attackers are usually looking for financial details or personal records to sell on. Of course, this technique could be used to great effect if tailored to a specific organisation, but we mostly see it in a non-targeted way today.

Attackers are banking on most people not looking at their rules, however, for added stealth, attackers will also typically name the rule something generic and uninteresting like “Test rule” or “Anti-spam” to encourage your eyes to gloss over them.

So what should you do? 

First, you’ll want to have a look at the mail rules in your estate to see if any are configured to forward mail externally - perhaps you'll find none, and you could consider disallowing external forwarding via rules altogether.

A good place to start is to use the auto-forwarded messages report in the Exchange admin panel - this will show you if any external forwarding rules have been utilised recently. However, looking for if any rules are in place (recently used or not) is harder - you can use the Graph API or possibly run some PowerShell.

If you find any, have a look through the rules to see if they check out - we often see legitimate rules that help users sort through personal stuff that's been sent to their work mail for whatever reason, such as payslips, by auto-forwarding it back to their personal inbox. You might decide that’s not allowed policy-wise but from a security perspective, that’s fine.

Some may be a bit less clear or just outright malicious; in that case you should contact the mailbox owner to check if the rule is there intentionally and remove it if not. Mailboxes with malicious rules should have their passwords changed and you should also review the OAuth applications they have authorised to see if anything looks suspect.

How can we help?

This initiative will inspect all mail rules in use on your estate, highlight any that are forwarding mail externally, and further highlight ones we think look suspicious.

If you make use of our ChatOps integration, we can automate the initial investigation you may have to do by reaching out to users with suspicious mail rules and quickly gaining an understanding of whether they are intentional.

If you want to disable external mail forwarding to completely remove the risk, we can reach out to only those users who currently have external mail forwarding rules and work with them to remove their existing rules, explaining the reasoning and background as we go. Once all the rules are disabled we’ll give you the heads up and you can disable forwarding, safe in the knowledge no one will be disrupted.

Finally, whether you’ve disabled external forwarding or not, you'll be able to configure alerting for if a new suspicious rule is created so you can stay on top of it going forward.

Supported platforms:
Microsoft 365 logo
Microsoft 365
Coming soon