Why Mailbox Rules Are an Attacker's Favorite Hiding Place
Inbox rules are a legitimate, everyday feature of Microsoft 365 — users create them to organize mail, forward messages to assistants, or file newsletters. That ubiquity is exactly what makes them so dangerous in the hands of an attacker. A single rule, created in seconds, can quietly defeat your detection capability and outlive a password reset. Inbox rules persist at the mailbox level, so they keep running even after the compromised credentials are rotated.
In a typical business email compromise (BEC) attack, the malicious rule is the persistence mechanism that turns a one-time credential theft into an ongoing intrusion. These are the four rule-abuse patterns your team will encounter most often:
External Forwarding / Exfiltration
A rule that forwards or redirects all incoming mail — or only mail matching keywords likeinvoice orwire — to an external attacker-controlled address. The data keeps leaking even after the account password is reset.
Alert Suppression / Auto-Delete
A rule that permanently deletes or marks-as-read messages containing terms likesecurity alert,sign-in, orpassword, so the real user never sees Microsoft's warnings that their account is compromised.
Move-to-Obscure-Folder
A rule that moves replies and notifications into rarely-checked folders likeRSS Feeds,Conversation History, orArchive. The conversation continues without the legitimate user ever noticing.
Conversation Hijack Filtering
A rule targeting a specific vendor or finance contact, redirecting their replies to the attacker so they can insert themselves into an active payment thread and reroute a wire transfer — all while the victim sees a seemingly normal inbox.
The Cost of Missing a Malicious Rule
70%
Of BEC attacks involve a malicious inbox rule for persistence
9 sec
Time it takes an attacker to create a forwarding rule after login
30+ days
Median time a hidden exfiltration rule runs before discovery
A password reset alone does not stop a malicious inbox rule. Unless the rule is found and removed, the attacker keeps a window into the mailbox. This is why mailbox rule review must be a mandatory, automated step in every account takeover and BEC response.
Detection Signals That Should Trigger Automated Review
Effective detection combines Microsoft's native alerts with audit-log telemetry and rule content analysis. These are the highest-signal indicators that should feed your response playbook:
Defender Alert: Suspicious Inbox Forwarding / Manipulation Rule
Microsoft Defender for Office 365 and Defender XDR raiseSuspicious inbox forwarding andSuspicious inbox manipulation rulealerts when ML detects risky rule creation. These should be a primary automated trigger.
New-InboxRule / Set-InboxRule in the Unified Audit Log
Every rule creation and modification is logged as aNew-InboxRule orSet-InboxRule operation in the Microsoft 365 Unified Audit Log. Correlate these events with risky sign-in or impossible-travel alerts on the same account to confirm malicious intent.
External Forwarding / Redirect Action
Any rule with a ForwardTo,RedirectTo, orForwardAsAttachmentTo action pointing to a domain outside your organization is high-risk by default and should be flagged immediately, regardless of who created it.
Suspicious Keywords + Destructive Actions
Rules that filter on security-related keywords (password, security, alert, phishing, helpdesk) combined with a DeleteMessage,MarkAsRead, or move-to-folder action are almost always malicious — legitimate users rarely auto-delete security mail.
Blank-Named or Single-Character Rules
Attackers frequently name rules ".","..", or leave them blank to make them harder to spot in Outlook's rule list. A non-descriptive rule name paired with a forwarding or delete action is a reliable indicator of abuse.
The Automated Mailbox Rule Cleanup Playbook
When any of the above signals fire, this playbook should execute automatically. Containment steps run without analyst intervention; permanent deletion is gated behind a forensic snapshot so nothing is lost and every action is reversible.
Mailbox Rule Cleanup Playbook
Trigger and Enumerate
Fully AutomatedOn alert ingestion, enumerate every inbox rule on the affected mailbox (and optionally tenant-wide if multiple accounts are implicated) via Microsoft Graph or Exchange Online PowerShell:
# Microsoft Graph API - list all rules for a mailbox
GET https://graph.microsoft.com/v1.0/users/{userId}/mailFolders/inbox/messageRules
# Exchange Online PowerShell - enumerate every mailbox
Get-EXOMailbox -ResultSize Unlimited | ForEach-Object {
Get-InboxRule -Mailbox $_.PrimarySmtpAddress |
Select-Object MailboxOwnerId, Name, Enabled, ForwardTo,
RedirectTo, DeleteMessage, MoveToFolder
}Score Each Rule for Malicious Intent
Fully AutomatedApply a confidence score to every rule so legitimate business rules are preserved and only high-risk rules are actioned. Weight the following signals:
- External forward/redirect destination (highest weight)
- Destructive action (delete / permanent delete / mark-as-read)
- Security-related keyword filters in the rule conditions
- Rule created within the alert window from a risky / unfamiliar IP
- Blank or single-character rule name
Snapshot the Rule for Forensics
Fully AutomatedBefore any rule is disabled or deleted, capture a complete copy of its definition — name, conditions, actions, destination addresses, and creation timestamp — into the incident record. This preserves evidence and makes every action reversible.
Get-InboxRule -Mailbox $mailbox -Identity $ruleId | ConvertTo-Json -Depth 5 | Out-File "./forensics/$mailbox-$ruleId.json"
Disable or Remove the Malicious Rule
Fully AutomatedFor high-confidence malicious rules, disable immediately to stop the bleeding, then remove after the snapshot is stored. Disabling is instant and fully reversible:
# Step 1: Disable instantly (reversible) Disable-InboxRule -Mailbox $mailbox -Identity $ruleId # Step 2: Remove after forensic snapshot is confirmed stored Remove-InboxRule -Mailbox $mailbox -Identity $ruleId -Confirm:$false
Check for Tenant-Wide Forwarding Settings
Fully AutomatedAttackers also abuse mailbox-level forwarding (ForwardingSmtpAddress) which is separate from inbox rules. Audit and clear any unauthorized mailbox forwarding, and confirm the tenant's outbound anti-spam policy blocks automatic external forwarding:
# Find mailboxes with external forwarding configured
Get-EXOMailbox -ResultSize Unlimited |
Where-Object { $_.ForwardingSmtpAddress -ne $null } |
Select-Object PrimarySmtpAddress, ForwardingSmtpAddress
# Clear unauthorized forwarding
Set-Mailbox -Identity $mailbox -ForwardingSmtpAddress $null `
-DeliverToMailboxAndForward $falseDocument, Notify, and Close
Fully AutomatedAutomatically generate a complete incident record with:
- Full forensic snapshot of every removed rule with conditions, actions, and destinations
- Timeline: rule creation time, detection time, disable time, deletion time
- External forwarding destinations exported as IOCs for SIEM ingestion
- Notification to the affected user and SOC confirming the malicious rule was removed
Automated vs. Manual Response Time
2 - 6 hrs
Manual: Enumerate rules → Identify → Remove
< 60 sec
Automated: Detection → Snapshot → Disable + Remove
Hardening Your Posture to Reduce Future Rule Abuse
Automated response handles active abuse. Proactive hardening reduces how often attackers can create a working malicious rule in the first place. Build these into your post-incident hardening playbook:
Block Automatic External Forwarding
Set your Defender for Office 365 outbound spam policy to block automatic external forwarding tenant-wide. This single setting neutralizes the most damaging class of malicious inbox rule — silent data exfiltration — even if a rule is created.
Enforce Phishing-Resistant MFA
Malicious inbox rules are a post-compromise artifact — they require a successful account takeover first. Enforcing phishing-resistant MFA (FIDO2 / passkeys) via Conditional Access cuts off the credential theft that makes rule abuse possible.
Continuous Rule Monitoring
Do not wait for an alert. Continuously enumerate inbox rules across the tenant and diff against a known-good baseline. Any new external-forwarding or destructive rule should generate an immediate detection, independent of Microsoft's native alerting.
Enable Mailbox Auditing
Confirm mailbox auditing is enabled tenant-wide so thatNew-InboxRule andSet-InboxRule operations are reliably captured in the Unified Audit Log. Without auditing, you lose the primary telemetry for detecting and investigating rule abuse.
How BitLyft AIR® Automates Mailbox Rule Cleanup
BitLyft AIR® continuously enumerates inbox rules across your tenant and ingests Defender suspicious-rule alerts, then executes this entire playbook automatically — enumerate, score, snapshot, disable, remove, and clear unauthorized forwarding — in under 60 seconds. Every removed rule is preserved in a forensic record and every action is reversible.
Tenant-Wide Rule Visibility
Continuously enumerates and baselines inbox rules across every mailbox so new malicious rules surface instantly
Snapshot-Then-Remove
Captures a full forensic copy of every rule before disabling and removing it — nothing is lost and every action is reversible
Confidence Scoring
Preserves legitimate business rules and only actions high-confidence malicious rules, avoiding disruptive false positives
Full Audit Trail
Complete incident documentation with rule definitions, timestamps, and SIEM-ready IOC export generated automatically
Frequently Asked Questions
Why do attackers create inbox rules after compromising a Microsoft 365 account?
Attackers create malicious inbox rules to stay hidden and maintain persistence. Rules that auto-delete or move security alerts, password reset notifications, and replies from finance teams let the attacker operate undetected inside a compromised mailbox. Forwarding rules silently exfiltrate sensitive email to an external address even after the password is reset. The inbox rule is often the single most overlooked artifact in a business email compromise investigation.
What are the most common signs of a malicious inbox rule?
The highest-signal indicators are: rules that forward or redirect mail to an external domain, rules that move messages to obscure folders like RSS Feeds or Conversation History, rules that permanently delete messages, rules with suspicious keyword filters (invoice, payment, password, security, phishing), and rules created shortly after a risky sign-in or from an unusual IP. Rules with blank or single-character names are also a strong tell.
Can Microsoft 365 detect malicious inbox rules automatically?
Microsoft Defender for Office 365 and Microsoft Defender XDR generate alerts such as 'Suspicious inbox forwarding' and 'Suspicious inbox manipulation rule' when machine learning flags risky rule activity. However, these alerts only cover a subset of abuse patterns and still require an analyst to investigate and remediate. Full coverage requires combining these alerts with the Unified Audit Log and automated response.
How do I find inbox rules across every mailbox in my tenant?
Use the Exchange Online PowerShell cmdlet Get-InboxRule iterated across every mailbox returned by Get-EXOMailbox, or query the Microsoft Graph API messageRules endpoint per user. Manually this can take hours for a large tenant. Automation platforms run this enumeration continuously and flag new or modified rules in near real time.
Is it safe to automatically delete inbox rules?
Deleting a clearly malicious rule (external forwarding, auto-delete of security mail) is low-risk and reversible if you snapshot the rule first. The safest automation pattern is to disable the rule, capture a full copy of its definition for forensics, then alert an analyst before permanent deletion. Legitimate business rules should be preserved, so automated cleanup must use confidence scoring rather than blanket deletion.
Related Articles
Business Email Compromise Response: M365 Triage + Containment Checklist
Complete BEC triage-to-containment workflow for Microsoft 365 environments.
Phishing Response Automation for Microsoft 365: Remove Malicious Email Org-Wide
How to automate org-wide phishing email purge in seconds using Microsoft Graph API.
Microsoft 365 Risky Settings: Detect and Fix Automatically
Detect and automatically remediate risky M365 configurations including mailbox forwarding and delegate access.
Microsoft Entra ID Account Takeover Response Playbook
Step-by-step containment, investigation, and remediation actions for Entra ID account takeover.