How to triage a potentially malicious mail rule

If you're not sure if a mail rule is good or bad, follow these steps:

  • Ask the user: The easiest way to figure it out is to just ask! If the user is confident they set up the rule, it is unlikely to be attacker activity. Although you may consider the rule a breach of policy, it is not an incident. If the user is unsure, or confident they did not setup the rule, you should assume this is attacker activity and follow these steps for Microsoft 365 or these for Google Workspace. If you're uncomfortable, or unable to ask the user, read on for other things to look for.

  • Inspect the rule conditions: Typically attackers will create rules to forward mail on keywords, such as "invoice" or "payment". Often, these attacks are not targeted and keywords will be generic however try to consider the user's role and what kind of information they have access to which might match the conditions specified.

  • Inspect the rule actions: Does the rule forward mail to an address that is not clearly linked to the user mailbox address? For example, a rule for john.smith@ctrlaltsecure.com that forwards certain mail to j.smith73@example.com is more likely to be legitimate. Of course, it is possible for a determined attacker to set up a mailbox that looks like it should pass this test so this alone is not a deciding factor but, combined with inspecting the conditions, you should be able to deduce if this is a likely legitimate rule.

If you're not sure, you should assume it is malicious and follow these steps for Microsoft 365 or these for Google Workspace until you are able to prove otherwise.