Incident type: malicious inbox rule and suspicious forwarding
Attackers create inbox rules within minutes of getting access because rules are durable. Even after the attacker loses access, the rule keeps forwarding mail.
Malicious inbox rules and suspicious forwarding are the most common single-action artefact of an identity compromise. Attackers create them within minutes of getting access because they are durable. Even if the attacker loses access later, the rule keeps forwarding mail. The two failure modes: missing the rule (because the Evidence describes it in mailbox-rule vocabulary you have not seen before) and removing only part of it (because there is a rule and a separate forwarder, and you only spotted one).
Two related mechanisms
Inbox rules are mailbox-level rules the user (or an attacker as the user) creates. They act on incoming mail: forward to an external address, move to a hidden folder, mark as read, delete.
Mailbox forwarders are tenant-level or mailbox-level configurations. M365 has ForwardingSmtpAddress (mailbox-level) and ForwardingAddress (delegated) as the two main mechanisms. Forwarders apply to all incoming mail and do not show up in the user’s normal Outlook rules interface.
The two mechanisms can be set up together. An attacker who creates a forwarding inbox rule and configures ForwardingSmtpAddress has two paths to exfiltrate mail. Removing the rule but not the forwarder leaves the second path intact.
Common malicious patterns
| Pattern | How it works |
|---|---|
| Forward and hide | Rule forwards mail with keywords (invoice, payment, wire) to an external address, then deletes or moves the original to a hidden folder |
| Suppress security alerts | Rule moves emails from security@microsoft.com or MFA-notification senders to a hidden folder and marks as read |
| Fake auto-reply | Rule sends “I am out of office, please contact…” to specific contacts the attacker wants to social-engineer |
| Stealth forwarder | ForwardingSmtpAddress set to external address with DeliverToMailboxAndForward: true so the user still sees their mail and does not notice |
Hidden folders attackers use include “RSS Subscriptions,” “Conversation History,” and folders named ”.” (a single dot). These are rarely visited by users, which is the point.
The response discipline
When the Recommendation says “remove malicious inbox rule,” check whether ForwardingSmtpAddress or ForwardingAddress is also set. If they are and were not already in the Recommendation, reply to the SOC: “Mailbox-level forwarder also configured to the same external address. Should this be removed as part of the response?” The additional finding goes back to the layer that decides, not into unilateral action.
The compromise playbook (lesson 11 in this course) handles both inbox-rule removal and forwarder removal together.
A worked scenario
High-severity ITDR on accounts.payable@example.com. Evidence describes a rule named “AP Filter” that forwards *invoice* mail to accounts-payable-backup@example.net (note the lookalike domain) and moves originals to RSS Subscriptions. Recommendation: revoke sessions, reset password and MFA, remove the malicious inbox rule.