Before You Start: Get the Order Right
Malicious inbox rules are the most common persistence mechanism in business email compromise. For a deeper breakdown of why attackers use them and the abuse patterns to watch for, see our companion guide on Microsoft 365 mailbox rule abuse. This article is the hands-on runbook: the precise sequence of actions to take once you suspect a rule is malicious.
The One Mistake That Ruins the Investigation
Do not delete the rule first. The single most common error responders make is spotting a forwarding rule and immediately removing it. That destroys the rule definition — the exact keywords, external address, and actions — which is the evidence you need to understand what was exfiltrated, notify affected parties, and satisfy cyber-insurance and legal requirements. Snapshot first, then remove.
The workflow below assumes you are connected to Exchange Online PowerShell (Connect-ExchangeOnline) with an account that holds the appropriate eDiscovery or security-admin role, or that you are calling the Microsoft Graph API with MailboxSettings.ReadWrite permission.
Step 1
Confirm the Trigger and Scope the Mailbox
Every investigation starts with a trigger — a Defender Suspicious inbox forwarding alert, a New-InboxRule event in the Unified Audit Log, or a user report. Before touching rules, confirm the mailbox is actually compromised by correlating the rule activity with sign-in telemetry.
# Microsoft Graph PowerShell
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@domain.com'" |
Select-Object CreatedDateTime, IpAddress, `
@{n='Risk';e={$_.RiskLevelDuringSignIn}}, `
@{n='City';e={$_.Location.City}} |
Sort-Object CreatedDateTime -Descending | Select-Object -First 20Note the timestamp of the suspicious sign-in. Any inbox rule created or modified shortly after a risky or impossible-travel login is your prime suspect. Record the affected UPN, the attacker IP, and the rule creation time — you will need these for the audit trail in Step 7.
Step 2
Preserve Evidence and Snapshot Every Rule
Capture a full copy of every inbox rule on the mailbox before making any changes. Export the complete definition so the forwarding address, keyword filters, and actions are preserved for forensics.
# Exchange Online PowerShell
$mbx = "user@domain.com"
Get-InboxRule -Mailbox $mbx |
Select-Object Name, Enabled, Priority, From, SubjectContainsWords,
BodyContainsWords, ForwardTo, RedirectTo, ForwardAsAttachmentTo,
MoveToFolder, DeleteMessage, MarkAsRead, StopProcessingRules |
Export-Clixml "./evidence/$($mbx)_inboxrules_$(Get-Date -f yyyyMMdd_HHmm).xml"Use Export-Clixml (not CSV) so nested action objects are preserved exactly. Store the file in a controlled evidence location. This snapshot is what makes every subsequent action reversible — if you remove a legitimate rule by mistake, you can recreate it precisely from this export.
Step 3
Analyze Each Rule Against Malicious Indicators
With the snapshot safe, inspect each rule. Score it against the high-confidence indicators below — the more that match, the more certain the rule is malicious.
External forward/redirect: any ForwardTo, RedirectTo, or ForwardAsAttachmentTo pointing to a domain outside your tenant.
Destructive action + security keywords: DeleteMessage or MarkAsRead combined with filters on password, security, sign-in, phishing.
Move-to-obscure-folder: MoveToFolder targeting RSS Feeds, Conversation History, or Archive to hide replies.
Blank or junk name: rules named ".", ",", or a single character, created around the suspicious sign-in time.
Preserve legitimate rules. A user forwarding newsletters to a personal folder is not an incident. The goal is to action high-confidence malicious rules while leaving normal business rules intact — blanket deletion causes its own outage.
Step 4
Disable the Malicious Rule Immediately
Disabling stops the rule from running instantly while keeping it intact for any final review. Do this the moment you confirm intent — every minute a forwarding rule stays active is more data leaving your tenant.
# Exchange Online PowerShell
Disable-InboxRule -Mailbox "user@domain.com" -Identity "RuleName"
# Confirm it is now disabled
Get-InboxRule -Mailbox "user@domain.com" -Identity "RuleName" |
Select-Object Name, EnabledIn parallel, contain the account itself — revoke sessions and reset credentials — so the attacker cannot simply recreate the rule. See our Entra ID account takeover playbook for the full containment sequence.
Step 5
Remove the Rule and Clear Unauthorized Forwarding
Once contained and captured, remove the rule. Then check for the forwarding attackers set at the mailbox level, which inbox-rule enumeration alone will miss.
# Remove the malicious inbox rule
Remove-InboxRule -Mailbox "user@domain.com" -Identity "RuleName" -Confirm:$false
# Clear mailbox-level forwarding (a separate attacker technique)
Set-Mailbox -Identity "user@domain.com" `
-ForwardingSMTPAddress $null -ForwardingAddress $null `
-DeliverToMailboxAndForward $falseDELETE https://graph.microsoft.com/v1.0/users/{id}/mailFolders/inbox/messageRules/{ruleId}
Authorization: Bearer <token> # requires MailboxSettings.ReadWriteAttackers frequently set both an inbox rule and mailbox-level forwarding so that removing one leaves the other running. Always clear both.
Step 6
Verify Removal Across the Tenant
Never close the ticket on assumption. Confirm the rule is gone, the removal committed to the audit log, and no forwarding remains anywhere in the tenant.
# 1. Confirm the rule is gone for the mailbox
Get-InboxRule -Mailbox "user@domain.com"
# 2. Confirm the removal committed in the Unified Audit Log
Search-UnifiedAuditLog -Operations "Remove-InboxRule" `
-StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date)
# 3. Hunt every mailbox for remaining external forwarding
Get-EXOMailbox -ResultSize Unlimited |
ForEach-Object {
Get-InboxRule -Mailbox $_.PrimarySmtpAddress |
Where-Object { $_.ForwardTo -or $_.RedirectTo -or $_.ForwardAsAttachmentTo } |
Select-Object @{n='Mailbox';e={$_.MailboxOwnerId}}, Name, ForwardTo, RedirectTo
}The tenant-wide sweep in step 3 above catches the common case where the same attacker planted rules in multiple mailboxes. If you find others, run this same workflow for each one.
Step 7
Document, Hunt, and Harden
Close the loop with a record and a hardening action so the same rule cannot reappear:
- Document the rule definition, external address, creation time, attacker IP, and every action taken — pulled from your Step 2 snapshot and Step 1 telemetry.
- Notify anyone whose data may have been exfiltrated through the forwarding rule, and flag any in-flight financial threads for verification.
- Harden by blocking automatic external forwarding tenant-wide in the Defender outbound spam policy, enforcing phishing-resistant MFA, and enabling continuous inbox-rule monitoring against a known-good baseline.
For the full set of preventive controls, see our guide on detecting and fixing risky Microsoft 365 settings automatically.
Run This Entire Workflow Automatically with BitLyft AIR®
Every step above — trigger, scope, snapshot, analyze, disable, remove, verify, and document — can be executed by BitLyft AIR® in under a minute. It triggers on Defender suspicious-rule alerts and New-InboxRule audit events, preserves a forensic copy of every rule before acting, removes only high-confidence malicious rules, clears mailbox forwarding, and verifies the tenant is clean — all while leaving legitimate business rules untouched.
Snapshot-Then-Remove
Captures a full forensic copy of every rule before disabling and removing it — every action is reversible
Confidence Scoring
Actions only high-confidence malicious rules and preserves legitimate business rules to avoid disruption
Tenant-Wide Verification
Sweeps every mailbox for remaining forwarding and confirms removal in the Unified Audit Log
Automatic Documentation
Generates complete incident records with rule definitions, timestamps, and SIEM-ready IOC export
Frequently Asked Questions
What is the first step when I suspect a malicious inbox rule?
Before touching the rule, scope the compromise and capture evidence. Identify the affected mailbox, pull its sign-in and audit history, then snapshot every existing inbox rule with Get-InboxRule so you have a forensic copy of the rule definition. Removing a rule before capturing it destroys evidence you will need for the investigation, insurance, or legal review. Only after the snapshot should you disable and remove the malicious rule.
How do I list all inbox rules for a compromised mailbox?
Connect to Exchange Online PowerShell and run Get-InboxRule -Mailbox user@domain.com | Format-List to see every rule and its full definition, including ForwardTo, RedirectTo, DeleteMessage, and MoveToFolder actions. For tenant-wide review, iterate Get-InboxRule across every mailbox returned by Get-EXOMailbox, or query the Microsoft Graph API messageRules endpoint per user.
How do I remove a malicious inbox rule?
Use Remove-InboxRule -Mailbox user@domain.com -Identity 'RuleName' in Exchange Online PowerShell, or DELETE the rule via the Microsoft Graph messageRules endpoint. Always disable the rule first with Disable-InboxRule and capture a full copy of its definition before deleting, so the action is reversible and the evidence is preserved.
How do I verify the rule is actually gone across the tenant?
Re-run Get-InboxRule for the affected mailbox and confirm the rule no longer appears, then check the Unified Audit Log for the Remove-InboxRule operation to confirm it committed. Also verify no tenant-level or transport forwarding remains by checking ForwardingSMTPAddress and ForwardingAddress on the mailbox and reviewing outbound spam and transport rules.
Can this entire workflow be automated?
Yes. A security automation platform can trigger on a Defender suspicious-rule alert or a New-InboxRule audit event, automatically enumerate and score the rule, snapshot it for forensics, disable and remove high-confidence malicious rules, clear unauthorized forwarding, and verify removal—completing the entire runbook in under a minute while preserving a full audit trail and leaving legitimate business rules untouched.
Related Articles
Microsoft 365 Mailbox Rule Abuse: Detection and Automated Cleanup
Why attackers abuse inbox rules and how to detect and automate cleanup org-wide.
Business Email Compromise Response: M365 Triage + Containment Checklist
Complete BEC triage-to-containment workflow for Microsoft 365 environments.
Phishing Response Automation for Microsoft 365: Remove Malicious Email Org-Wide
How to automate org-wide phishing email purge in seconds using Microsoft Graph API.
Microsoft Entra ID Account Takeover Response Playbook
Step-by-step containment, investigation, and remediation actions for Entra ID account takeover.