Suspicious Inbox Rules: Mail Hiding, Deletion & Persistence Risk

Why this risk matters

While forwarding rules exfiltrate mail to external destinations, a separate category of inbox rules is used specifically to conceal an attacker's presence. Rules that hide, delete, mark as read, or move messages to obscure folders are a reliable technique for extending dwell time and preventing a compromised user from noticing that something is wrong.

Overe flags inbox rules that manipulate mail in ways that suggest concealment rather than legitimate organisation — rules that delete incoming emails from security vendors or Microsoft, rules that move messages to the Deleted Items or RSS Feeds folder, rules that mark all incoming mail as read, or rules matching keywords like “password”, “security alert”, “unusual sign-in”, or “MFA”.

These rules are often created alongside forwarding rules as part of the same attack sequence, but they can also exist independently — created specifically to blind the user to ongoing compromise. Unlike forwarding rules, they do not create visible outbound traffic and are frequently overlooked during incident response.

What happens if this is abused

  • Security alert emails from Microsoft or the organisation's security team deleted or moved before the user sees them
  • Password reset confirmation emails suppressed, allowing the attacker to maintain access even as the user attempts to recover the account
  • MFA prompt or unusual sign-in notification deleted, preventing the user from raising an alert
  • All incoming email marked as read, masking new messages and making it harder for the user to notice the mailbox is being accessed
  • Vendor invoice or payment emails diverted to a folder the user rarely checks, enabling business email compromise
  • Rules survive password resets and MFA changes, continuing to operate silently until explicitly removed
  • Rule targeting all messages from a specific domain or sender — such as a supplier or legal firm — diverts sensitive communications before they reach the mailbox owner
  • Rule recreated immediately after removal, indicating the attacker still has active mailbox access and credential remediation was incomplete

When this is expected or acceptable

Most legitimate inbox rules move messages to named folders, apply categories, or forward to known addresses. Rules that delete mail or move it to system folders like Deleted Items, Junk, or RSS Feeds are unusual in legitimate use.

Some rules that mark messages as read or suppress certain senders may reflect personal preferences, but these should be reviewed in context — especially if they target security-related senders or keywords.

Any rule targeting keywords like “password”, “security”, “alert”, “MFA”, “sign-in”, or “verification” should be treated as high-priority for review regardless of other context.

Checks to perform before taking action

Before modifying suspicious inbox rules:

  • Review the full list of inbox rules for the affected mailbox — not just forwarding rules but all rules
  • Identify rules that delete, move to system folders, mark as read, or target security-related keywords
  • Check when each rule was created and whether the timing correlates with any suspicious sign-in or Overe alert
  • Confirm whether the mailbox owner recognises and intentionally created each rule
  • Review the mailbox for other indicators of compromise — forwarding rules, delegation changes, and OAuth app consents
  • Check the user's recent sign-in history for unfamiliar locations, devices, or unexpected authentication events

Safe remediation steps

  1. Use Overe to review inbox rules across the tenant for patterns consistent with concealment — deletion, suppression, or security keyword targeting
  2. For rules matching these patterns, contact the mailbox owner to confirm whether they are intentional
  3. If compromise is suspected, remove all suspicious rules immediately
  4. Review the mailbox for forwarding rules, delegation changes, and OAuth consents that may have been set at the same time
  5. Enforce MFA and rotate credentials for the affected account where compromise is indicated
  6. After remediation, monitor the mailbox for rule recreation — rule persistence is a sign that access has not been fully revoked
  7. Educate users on what legitimate inbox rules look like and how to identify unexpected changes to their mailbox settings

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Overe Auto-Response: The Email Hiding Rules alert can be configured in Overe to trigger automatic session revocation or account block when mail-hiding or deletion rules are detected. Review your Auto-Response settings under Org Config > Auto-Response to set an appropriate automated response for this BEC indicator.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Disable Direct Send functionality — Disables Direct Send functionality to prevent email spoofing via unauthenticated SMTP.
  • Windows Device Security Audit and Event Logging — Captures detailed Windows security events to support threat detection, investigation, and compliance.

Related risks and follow-on checks

After reviewing suspicious inbox rules, also check these related risk areas:

  • Risky Inbox Forwarding Rules — concealment rules and forwarding rules are typically created together in the same compromise sequence; investigate all rule types on any mailbox where suspicious rules are found
  • External Email Forwarding Rules — SMTP forwarding at mailbox or tenant level is a complementary technique; check both levels of forwarding alongside inbox rule suppression on any affected mailbox
  • Mailbox Delegation Risk — an attacker with FullAccess to a mailbox can create rules without the owner's session; check whether delegation could explain how a rule was created without a visible direct sign-in
  • Open Defender Incidents — suspicious inbox rules are frequently a downstream artifact of a broader compromise; check for Defender alerts on the same user or device before investigating in isolation
  • Users with Risky MFA Settings — the underlying access that enabled rule creation usually began with a credential attack; confirm the account's MFA posture is addressed alongside the rule removal
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.