Transport rules in Exchange Online — also called mail flow rules — are server-side rules that apply to all email passing through your organisation's mail infrastructure. They operate before email reaches user inboxes, can silently copy, redirect, modify, or delete messages, and apply organisation-wide rather than per-user. This makes them a powerful administrative tool and, in the wrong hands, a powerful exfiltration mechanism.
Unlike inbox rules, which are set per-user and visible in the user's Outlook, transport rules are invisible to end users and require Exchange admin access to create or modify. A change to a transport rule — especially one that wasn't planned or approved — should always be investigated promptly, because a single well-crafted rule can silently copy all email from an entire domain to an external address.
Transport rule changes are a routine part of Exchange Online administration. Legitimate scenarios include:
Any legitimate transport rule change should have a corresponding ticket, change request, or administrative audit trail linking it to a specific project or policy decision. Unexplained changes, new rules that forward to external addresses, or modifications to existing rules that add external forwarding are the key red flags.
Get-TransportRule), review the current transport rules and identify what was changed, created, or deletedGet-TransportRule | Export-Csv to capture a full snapshot of current transport rules as a baseline for future comparisonOvere Auto-Response: The Transport Rule Changed alert can be configured in Overe to trigger automatic session revocation or account block for the initiating admin when unauthorised mail flow changes are detected. Review your Auto-Response settings under Org Config > Auto-Response.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating a transport rule change alert, review these related risk areas: