Advanced
Lesson 4 of 35 · ~8 min

Incident type: malicious inbox rule and suspicious forwarding

Attackers create inbox rules within minutes of getting access because rules are durable. Even after the attacker loses access, the rule keeps forwarding mail.

Malicious inbox rules and suspicious forwarding are the most common single-action artefact of an identity compromise. Attackers create them within minutes of getting access because they are durable. Even if the attacker loses access later, the rule keeps forwarding mail. The two failure modes: missing the rule (because the Evidence describes it in mailbox-rule vocabulary you have not seen before) and removing only part of it (because there is a rule and a separate forwarder, and you only spotted one).

Inbox rules are mailbox-level rules the user (or an attacker as the user) creates. They act on incoming mail: forward to an external address, move to a hidden folder, mark as read, delete.

Mailbox forwarders are tenant-level or mailbox-level configurations. M365 has ForwardingSmtpAddress (mailbox-level) and ForwardingAddress (delegated) as the two main mechanisms. Forwarders apply to all incoming mail and do not show up in the user’s normal Outlook rules interface.

The two mechanisms can be set up together. An attacker who creates a forwarding inbox rule and configures ForwardingSmtpAddress has two paths to exfiltrate mail. Removing the rule but not the forwarder leaves the second path intact.

Common malicious patterns

PatternHow it works
Forward and hideRule forwards mail with keywords (invoice, payment, wire) to an external address, then deletes or moves the original to a hidden folder
Suppress security alertsRule moves emails from security@microsoft.com or MFA-notification senders to a hidden folder and marks as read
Fake auto-replyRule sends “I am out of office, please contact…” to specific contacts the attacker wants to social-engineer
Stealth forwarderForwardingSmtpAddress set to external address with DeliverToMailboxAndForward: true so the user still sees their mail and does not notice

Hidden folders attackers use include “RSS Subscriptions,” “Conversation History,” and folders named ”.” (a single dot). These are rarely visited by users, which is the point.

The response discipline

When the Recommendation says “remove malicious inbox rule,” check whether ForwardingSmtpAddress or ForwardingAddress is also set. If they are and were not already in the Recommendation, reply to the SOC: “Mailbox-level forwarder also configured to the same external address. Should this be removed as part of the response?” The additional finding goes back to the layer that decides, not into unilateral action.

The compromise playbook (lesson 11 in this course) handles both inbox-rule removal and forwarder removal together.

A worked scenario

High-severity ITDR on accounts.payable@example.com. Evidence describes a rule named “AP Filter” that forwards *invoice* mail to accounts-payable-backup@example.net (note the lookalike domain) and moves originals to RSS Subscriptions. Recommendation: revoke sessions, reset password and MFA, remove the malicious inbox rule.

Inbox rule removed. Is the playbook complete?
The Recommendation named the inbox rule. You removed it. Before declaring done, check whether a second mechanism is present.
You check the mailbox. ForwardingSmtpAddress is also set to the same external address with DeliverToMailboxAndForward: true. The Recommendation did not mention it.
User-created does not mean legitimate

If the user’s account was compromised at the time, the user is the one who created the rule in the audit log. The Timeline view (lesson 2) tells you whether the rule creation correlates with a suspicious sign-in. Do not dismiss a rule as user-created without checking the Timeline.

Loading quiz…
Next lesson