Risky Inbox Forwarding Rules: Data Exfiltration & Post-Compromise Persistence

Why this risk matters

Inbox forwarding rules are one of the most reliable post-compromise persistence techniques used by attackers after gaining access to a mailbox. Once created, these rules silently redirect or copy email to an attacker-controlled address — often without the mailbox owner ever noticing.

Unlike mailbox-level SMTP forwarding, inbox rules are created within the mailbox itself and may not appear in standard admin views. They can be created through Outlook, Outlook on the Web, or via the Graph API, and they continue operating silently until explicitly removed. Even after the initial compromise is resolved — password reset, MFA enforced — the rules continue forwarding mail if they are not found and deleted.

Overe detects inbox forwarding rules that forward to external addresses, rules that redirect mail based on keywords, and rules that delete or suppress incoming messages — a common technique used to hide security notifications from a compromised user.

What happens if this is abused

  • All incoming email for a compromised mailbox forwarded to an attacker-controlled address without the user's awareness
  • Forwarding continues operating after the initial compromise is resolved through password reset or MFA enforcement — the rule outlives the session
  • Business communications, client data, and sensitive attachments exfiltrated without further interactive access required
  • Security notifications, password reset emails, or MFA prompts deleted or redirected before the user sees them, extending attacker dwell time
  • Attacker maintains ongoing intelligence access to the organisation's communications long after the breach is otherwise contained
  • Rule targeting specific keywords — invoice, payment, contract — used in a BEC attack to intercept only high-value communications without forwarding all mail
  • Graph API-created rule persists after the attacker's token is revoked, because the rule is stored in the mailbox rather than tied to an active session
  • Rule deletes or suppresses incoming emails to hide security alerts from the compromised user, preventing them from noticing unusual activity on their account

When this is expected or acceptable

Inbox forwarding rules do have legitimate uses. Personal productivity rules, auto-archiving to external systems, and integration with ticketing or helpdesk platforms are all common examples.

A rule forwarding to a known business system — a ticketing platform, a monitoring tool, or a documented vendor address — is typically legitimate. A rule forwarding to a consumer email domain or an unknown external address, particularly one created recently or at the same time as a suspicious sign-in, should be treated as suspicious until verified.

Rules that suppress or delete incoming email rather than forwarding are a stronger indicator of malicious intent and should always be investigated.

Checks to perform before taking action

Before modifying or removing any inbox forwarding rule:

  • Identify when the rule was created and whether it coincides with any suspicious sign-in activity or Overe alerts for that user
  • Confirm who created the rule — the mailbox owner, a delegate, or an administrator
  • Validate whether the destination address maps to a known business system or vendor
  • Check the mailbox for other suspicious rules including those that delete, move, or mark messages as read
  • Review the mailbox owner's sign-in history for unfamiliar locations or devices around the time the rule was created
  • Cross-reference with any related Defender incidents or Overe risk signals for the account
  • Confirm with the mailbox owner whether they recognise and intentionally created the rule

Safe remediation steps

  1. Use Overe to review all external inbox forwarding rules across the tenant before acting on any individual mailbox
  2. Confirm with the mailbox owner or their manager whether the rule is intentional before removing it
  3. If suspicious, disable or delete the forwarding rule immediately
  4. If compromise is suspected, also search for additional rules that suppress, delete, or redirect messages
  5. Enforce MFA and rotate credentials for the affected account where compromise is indicated
  6. Review the mailbox for other indicators of compromise — unusual sent items, delegation changes, or OAuth consents
  7. Remove the rule once ownership and legitimacy have been confirmed or once remediation is complete

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Overe Auto-Response: The External Email Forwarding Enabled alert can be configured in Overe to trigger automatic session revocation or account block when external forwarding rules are detected on a mailbox. Review your Auto-Response settings under Org Config > Auto-Response to ensure an appropriate automated response is configured for this persistent exfiltration risk.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Disable Direct Send functionality — Disables Direct Send functionality to prevent email spoofing via unauthenticated SMTP.
  • Windows Device Security Audit and Event Logging — Captures detailed Windows security events to support threat detection, investigation, and compliance.

Related risks and follow-on checks

After reviewing inbox forwarding rules, also check these related risk areas:

  • External Email Forwarding Rules — check for tenant-level or mailbox-level SMTP forwarding alongside inbox rules; both techniques are often used in conjunction in more sophisticated attacks
  • Suspicious Inbox Rules — risky forwarding rules frequently coexist with suppression or deletion rules designed to hide activity from the mailbox owner; investigate both rule types on the same mailbox
  • Users with Risky MFA Settings — if a mailbox owner can be phished or their credentials compromised due to weak MFA, forwarding rules are the likely next step; remediate authentication and access together
  • Open Defender Incidents — cross-reference any Defender alerts for the same user or mailbox; a forwarding rule often marks the conclusion of a broader compromise chain rather than a standalone event
  • Dormant Users — dormant accounts may have old forwarding rules still active from a previous compromise; verify no rules are running on accounts with no active owner
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.