Back to GSO Recommendations

Risky Inbox Forwarding Rules: Data Exfiltration & Post-Compromise Persistence

Why this risk matters

Inbox forwarding rules are one of the most reliable post-compromise persistence techniques used by attackers after gaining access to a mailbox. Once created, these rules silently redirect or copy email to an attacker-controlled address — often without the mailbox owner ever noticing.

Unlike mailbox-level SMTP forwarding, inbox rules are created within the mailbox itself and may not appear in standard admin views. They can be created through Outlook, Outlook on the Web, or via the Graph API, and they continue operating silently until explicitly removed. Even after the initial compromise is resolved — password reset, MFA enforced — the rules continue forwarding mail if they are not found and deleted.

Overe detects inbox forwarding rules that forward to external addresses, rules that redirect mail based on keywords, and rules that delete or suppress incoming messages — a common technique used to hide security notifications from a compromised user.

What happens if this is abused

  • All incoming email for a compromised mailbox forwarded to an attacker-controlled address without the user's awareness
  • Forwarding continues operating after the initial compromise is resolved through password reset or MFA enforcement
  • Business communications, client data, and sensitive attachments exfiltrated without further access required
  • Security notifications, password reset emails, or MFA prompts deleted or redirected before the user sees them
  • Attacker maintains ongoing intelligence access to the organisation's communications long after the breach
  • Rules used to suppress security alerts sent to the compromised user, extending the attacker's dwell time

When this is expected or acceptable

Inbox forwarding rules do have legitimate uses. Personal productivity rules, auto-archiving to external systems, and integration with ticketing or helpdesk platforms are all common examples.

A rule forwarding to a known business system — a ticketing platform, a monitoring tool, or a documented vendor address — is typically legitimate. A rule forwarding to a consumer email domain or an unknown external address, particularly one created recently or at the same time as a suspicious sign-in, should be treated as suspicious until verified.

Rules that suppress or delete incoming email rather than forwarding are a stronger indicator of malicious intent and should always be investigated.

Checks to perform before taking action

Before modifying or removing any inbox forwarding rule:

  • Identify when the rule was created and whether it coincides with any suspicious sign-in activity or Overe alerts for that user
  • Confirm who created the rule — the mailbox owner, a delegate, or an administrator
  • Validate whether the destination address maps to a known business system or vendor
  • Check the mailbox for other suspicious rules including those that delete, move, or mark messages as read
  • Review the mailbox owner's sign-in history for unfamiliar locations or devices around the time the rule was created
  • Cross-reference with any related Defender incidents or Overe risk signals for the account
  • Confirm with the mailbox owner whether they recognise and intentionally created the rule

Safe remediation steps

  1. Use Overe to review all external inbox forwarding rules across the tenant before acting on any individual mailbox
  2. Confirm with the mailbox owner or their manager whether the rule is intentional before removing it
  3. If suspicious, disable or delete the forwarding rule immediately
  4. If compromise is suspected, also search for additional rules that suppress, delete, or redirect messages
  5. Enforce MFA and rotate credentials for the affected account where compromise is indicated
  6. Review the mailbox for other indicators of compromise — unusual sent items, delegation changes, or OAuth consents
  7. Remove the rule once ownership and legitimacy have been confirmed or once remediation is complete

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Manage inbox rules in Exchange Online - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules

Microsoft: Responding to a compromised email account in Office 365 - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account

Related risks and follow-on checks

  • External email forwarding rules
  • Dormant users
  • Users with risky MFA settings
  • Open Defender incidents
TBD CTA