Back to GSO Recommendations

Suspicious Inbox Rules: Mail Hiding, Deletion & Persistence Risk

Why this risk matters

While forwarding rules exfiltrate mail to external destinations, a separate category of inbox rules is used specifically to conceal an attacker's presence. Rules that hide, delete, mark as read, or move messages to obscure folders are a reliable technique for extending dwell time and preventing a compromised user from noticing that something is wrong.

Overe flags inbox rules that manipulate mail in ways that suggest concealment rather than legitimate organisation — rules that delete incoming emails from security vendors or Microsoft, rules that move messages to the Deleted Items or RSS Feeds folder, rules that mark all incoming mail as read, or rules matching keywords like “password”, “security alert”, “unusual sign-in”, or “MFA”.

These rules are often created alongside forwarding rules as part of the same attack sequence, but they can also exist independently — created specifically to blind the user to ongoing compromise. Unlike forwarding rules, they do not create visible outbound traffic and are frequently overlooked during incident response.

What happens if this is abused

  • Security alert emails from Microsoft or the organisation's security team deleted or moved before the user sees them
  • Password reset confirmation emails suppressed, allowing the attacker to maintain access even as the user attempts to recover the account
  • MFA prompt or unusual sign-in notification deleted, preventing the user from raising an alert
  • All incoming email marked as read, masking new messages and making it harder for the user to notice the mailbox is being accessed
  • Vendor invoice or payment emails diverted to a folder the user rarely checks, enabling business email compromise
  • Rules survive password resets and MFA changes, continuing to operate silently until explicitly removed

When this is expected or acceptable

Most legitimate inbox rules move messages to named folders, apply categories, or forward to known addresses. Rules that delete mail or move it to system folders like Deleted Items, Junk, or RSS Feeds are unusual in legitimate use.

Some rules that mark messages as read or suppress certain senders may reflect personal preferences, but these should be reviewed in context — especially if they target security-related senders or keywords.

Any rule targeting keywords like “password”, “security”, “alert”, “MFA”, “sign-in”, or “verification” should be treated as high-priority for review regardless of other context.

Checks to perform before taking action

Before modifying suspicious inbox rules:

  • Review the full list of inbox rules for the affected mailbox — not just forwarding rules but all rules
  • Identify rules that delete, move to system folders, mark as read, or target security-related keywords
  • Check when each rule was created and whether the timing correlates with any suspicious sign-in or Overe alert
  • Confirm whether the mailbox owner recognises and intentionally created each rule
  • Review the mailbox for other indicators of compromise — forwarding rules, delegation changes, and OAuth app consents
  • Check the user's recent sign-in history for unfamiliar locations, devices, or unexpected authentication events

Safe remediation steps

  1. Use Overe to review inbox rules across the tenant for patterns consistent with concealment — deletion, suppression, or security keyword targeting
  2. For rules matching these patterns, contact the mailbox owner to confirm whether they are intentional
  3. If compromise is suspected, remove all suspicious rules immediately
  4. Review the mailbox for forwarding rules, delegation changes, and OAuth consents that may have been set at the same time
  5. Enforce MFA and rotate credentials for the affected account where compromise is indicated
  6. After remediation, monitor the mailbox for rule recreation — rule persistence is a sign that access has not been fully revoked
  7. Educate users on what legitimate inbox rules look like and how to identify unexpected changes to their mailbox settings

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Responding to a compromised email account in Office 365 - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account

Microsoft: View inbox rules in Exchange Online - https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/inbox-rules

Microsoft: Manage mail flow rules in Exchange Online - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules

Related risks and follow-on checks

  • Risky inbox forwarding rules
  • External email forwarding rules
  • Mailbox delegation risk
  • Open Defender incidents
  • Users with risky MFA settings
TBD CTA