Email Forwarding Rules in Microsoft 365: How Attackers Quietly Drain Your Finances for Months

Malicious email forwarding rules in Microsoft 365 are one of the most financially destructive attacks most business owners have never heard of. There are no locked screens, no ransom notes, no alarms. A single inbox rule silently copies every financial email – invoices, wire requests, vendor confirmations – to an address the attacker controls, sometimes for months before anyone notices the money is gone. Knowing how this works, why it survives a password reset, and which configuration changes actually close the door is now a baseline requirement for any organization running Microsoft 365.

1. The Threat Landscape: Why Inbox Rules Are a Prime Attack Vector
2. How Email Forwarding Rules Are Weaponized Step by Step
3. Why Malicious Email Forwarding Rules Survive Password Resets
4. Who This Affects and Real-World Examples
5. Forensic Indicators: What to Look For
6. Defense Posture: Configuration Changes That Close the Door
7. What to Ask Your IT Firm Right Now

The Threat Landscape: Why Inbox Rules Are a Prime Attack Vector

Business email compromise has been the FBI’s most financially costly cybercrime category for six consecutive years. The FBI’s 2023 Internet Crime Report logged over $2.9 billion in adjusted losses attributed to business email compromise alone – a figure that almost certainly undercounts reality, because most victims never report to law enforcement. The tactics driving those losses have changed. Early attacks were loud: spoofed domains, obvious phishing emails, easy-to-spot grammar mistakes. Modern attacks are quiet. Attackers now prefer techniques that blend into normal user behavior, and malicious email forwarding rules are at the top of that list.

The CISA advisory AA23-193A, released jointly with the NSA and FBI, specifically calls out email forwarding rule abuse as a primary persistence mechanism in Microsoft 365 and Google Workspace environments. The advisory notes that attackers who establish this kind of persistence are extraordinarily difficult to detect because their activity mimics a feature millions of legitimate users configure themselves every day.

That is the core problem. Inbox rules are not a vulnerability in the traditional sense – they are a designed feature. The attacker is not exploiting a software flaw. They are exploiting trust in legitimate functionality, which is exactly what makes detection so hard.

How Email Forwarding Rules Are Weaponized Step by Step

The attack almost always starts with credential theft, not a technical exploit. Phishing, credential stuffing against a tenant with no multi-factor authentication, or purchased credentials from an initial access broker are the three most common entry points. Once the attacker has valid credentials, the intrusion looks, from Microsoft’s perspective, like a normal login.

After gaining access, the attacker moves fast – typically within minutes of the initial login, based on forensic timelines documented in breach disclosures. Here is the sequence:

• The attacker logs into the compromised mailbox, often via Outlook on the Web or directly through Microsoft Graph API calls that require no interactive browser session.
• A new inbox rule is created. Common configurations include: forward all incoming mail matching keywords like “invoice,” “payment,” “wire,” “ACH,” or “remittance” to an external address; mark those emails as read immediately so they never appear as unread in the victim’s inbox; and in some variants, delete the email from the inbox entirely after forwarding.
• The attacker may also create a second rule that automatically moves replies from the victim’s sent folder into a subfolder the victim never checks, hiding the full conversation thread.
• The attacker logs out. The session ends. The email forwarding rules stay.

From this point, the attacker needs no active presence in the mailbox. The rule does the work. Every qualifying email is silently copied or redirected. The attacker reads those emails at their leisure, identifies the right moment to inject a fraudulent invoice or payment instruction, and sends it from a lookalike domain – or, in more sophisticated campaigns, directly from a compromised vendor account also under their control.

The victim sees nothing unusual. Their email works normally. The only sign anything is wrong is the financial loss that surfaces weeks later.

Why Malicious Email Forwarding Rules Survive Password Resets

This is the detail that catches most business owners and IT teams off guard. When an organization discovers a compromised account and resets the password, the assumption is that the attacker is locked out and the damage is contained. That assumption is wrong.

Email forwarding rules in Microsoft 365 are stored as properties of the mailbox object itself – not as properties of the authenticated session. Resetting a password terminates active sessions and invalidates existing tokens, but it does not touch the mailbox configuration. The forwarding rule the attacker created keeps executing on every incoming message, silently, indefinitely, until someone explicitly finds it and removes it.

The same is true of other persistence artifacts frequently created alongside malicious inbox rules:

• Mailbox-level forwarding addresses set via the ForwardingSmtpAddress attribute, which operates independently of inbox rules and is invisible in most standard inbox views.
• Third-party application permissions granted during the attacker’s session, which can persist and allow continued access to email data even after the password is reset and all user sessions are revoked.
• Delegate access grants that give the attacker read or send-on-behalf permissions on the mailbox.
• Transport rules created at the tenant level – as opposed to the mailbox level – which require administrative access to create but are completely invisible to the individual mailbox owner.

A thorough incident response for any suspected Microsoft 365 compromise must check all four of these artifact types – not just the obvious inbox rules visible in Outlook settings. Stopping at the password reset is one of the most common and costly mistakes organizations make during these incidents.

Who This Affects and Real-World Examples

Any organization using Microsoft 365 for financial communications is a potential target. Attackers do not exclusively pursue large enterprises. The FBI’s data consistently shows that small and mid-sized businesses absorb a disproportionate share of business email compromise losses precisely because they lack the monitoring infrastructure to catch these attacks early.

Professional services firms – accounting, legal, financial advisory – are particularly attractive targets because their email traffic is dense with payment instructions, escrow transfers, and wire confirmations. Healthcare organizations face the same exposure wherever billing and accounts payable activity flows through Microsoft 365 mailboxes.

Several public incidents illustrate the technique at scale:

• In the NOBELIUM campaign documented by Microsoft’s Threat Intelligence team, the threat group used inbox rules and mailbox delegation to maintain persistent access to high-value targets across multiple organizations for extended periods – collecting intelligence and timing financial fraud with precision.
• The Scattered Spider group, responsible for several high-profile intrusions in 2023 and 2024, was documented using Microsoft 365 inbox rule manipulation as part of broader persistence strategies following initial access via social engineering.
• A 2022 CISA advisory on Iranian government-sponsored actors specifically described inbox rule creation as a standard post-compromise action used to maintain visibility into target organizations’ communications without requiring repeated credential use.

What unites these examples is dwell time. The median time between initial compromise and detection in business email compromise cases involving email forwarding rules runs to weeks, not days. Some forensic investigations have uncovered rules that had been quietly forwarding financial email for four to six months before the victim discovered the fraud.

Forensic Indicators: What to Look For

If you suspect a compromise – or are conducting a proactive audit of your Microsoft 365 environment – the following indicators are the most reliable signals that inbox rule abuse has occurred or is ongoing.

Audit log entries to search for:

• New-InboxRule and Set-InboxRule operations – look for rules created outside business hours, from unfamiliar IP addresses, or by service accounts that have no business creating inbox rules.
• Set-Mailbox operations that modify the ForwardingSmtpAddress or DeliverToMailboxAndForward attributes – these are the silent forwarders that do not appear as user-visible inbox rules.
• Third-party application consent grants recorded under audit events for role assignment or application consent.
• Mailbox login events from IP addresses in unexpected geographic locations or from anonymizing infrastructure (hosting providers, Tor exit nodes, or VPN services with known abuse histories).

Configuration anomalies to check directly:

• Run Get-InboxRule via Exchange Online PowerShell for every mailbox in scope – do not rely on Outlook’s built-in rule viewer, which can miss server-side rules in some configurations.
• Check Get-Mailbox | Select ForwardingSmtpAddress, DeliverToMailboxAndForward across the tenant for any unexpected external forwarding addresses.
• Review the list of consented third-party applications in the Azure Active Directory portal, looking for applications granted Mail.Read or Mail.ReadWrite permissions.
• Audit mailbox delegates via Get-MailboxPermission and Get-RecipientPermission for any Full Access or SendAs grants to external or unfamiliar accounts.

Microsoft’s official guidance on responding to a compromised email account provides a useful remediation checklist, though it should be treated as a starting point rather than a complete forensic protocol.

Defense Posture: Configuration Changes That Close the Door

Detection matters, but prevention is the higher priority. The configuration changes below, applied at the tenant level, significantly reduce the attack surface for email forwarding rule abuse. These are not theoretical hardening recommendations – they are the specific controls that incident responders find missing in the overwhelming majority of business email compromise cases involving Microsoft 365.

Disable automatic external forwarding at the tenant level:

• Microsoft 365 allows administrators to set outbound spam filter policies that block automatic forwarding to external domains. This is a default-off setting in many tenants. Enable it explicitly using the AutoForwardingMode parameter set to Off in the hosted outbound spam filter policy. This blocks both inbox rule forwarding and mailbox-level forwarding to external addresses.
• Create an exception list for users with a legitimate business need to forward externally, and review that list quarterly.

Enforce multi-factor authentication without exception:

• The vast majority of Microsoft 365 business email compromise cases begin with a compromised password. Multi-factor authentication stops credential-only attacks cold. Conditional access policies should require it for all users, with no permanent exclusions for executives or service accounts.
• Disable legacy authentication protocols (basic authentication for IMAP, POP3, and SMTP) that cannot be protected by multi-factor authentication. Microsoft completed its forced deprecation of basic authentication in October 2022, but some tenants have re-enabled it for legacy application compatibility – check this explicitly.

Enable and actively review the audit log:

• The audit log must be enabled – it is not always on by default for older tenants – and its data must actually be reviewed. Passive logging that nobody looks at is not a control. It is an artifact.
• Configure alerts for high-risk events including email forwarding rule creation, external forwarding changes, and third-party application consent grants. Microsoft Defender for Office 365 includes built-in alert policies for some of these events; verify they are enabled and routing to a monitored inbox or alert platform.

Restrict third-party application consent:

• By default, users in many Microsoft 365 tenants can grant third-party applications broad permissions – including the ability to read all mail. Restrict user consent to administrator-approved applications only, using the admin consent workflow in Azure Active Directory. This prevents attacker-deployed applications from maintaining email access after a password reset.

Organizations that work with a dedicated cybersecurity team to implement and continuously monitor these controls are substantially less exposed than those relying on default Microsoft configurations. Default is not secure – it is a starting point. You can also learn more about how proactive monitoring fits into a broader managed IT services strategy for your organization.

What to Ask Your IT Firm Right Now

If you rely on an IT firm or internal IT staff to keep your Microsoft 365 environment secure, the following questions will tell you quickly whether the right controls are in place. These are not technical traps – they are the minimum-bar checks for any tenant running financial communications through Microsoft 365.

• Are automatic email forwarding rules to external addresses disabled at the tenant level, with a documented exception process for legitimate use cases?
• Is multi-factor authentication enforced via conditional access policies for every user account, including executives and shared mailboxes?
• Are legacy authentication protocols disabled across the tenant?
• Is the audit log enabled, with alert policies configured to notify someone when email forwarding rules or external forwarding settings are modified?
• Has anyone run a full audit of consented third-party application permissions and mailbox delegate access in the past 90 days?
• If a mailbox were compromised today, what is the documented incident response process – and does it include checking for forwarding rules, forwarder attributes, application grants, and delegates, not just resetting the password?

If the answers to any of these questions are uncertain or negative, the gap is not theoretical. Attackers are walking through exactly these open doors in organizations of every size and industry right now. Email forwarding rule persistence is not a nation-state technique reserved for high-profile targets. It is a standard step in campaigns run by financially motivated criminal groups targeting small and mid-sized businesses. Professional services, legal, and healthcare sectors see the highest concentration of victims – but no industry is exempt.

The organizations that come through these incidents without significant financial loss are not the ones that got lucky. They are the ones that had the right controls configured before the attacker arrived, and the right monitoring in place to catch the cases where an attacker still managed to get in. Quiet environments do not happen by accident. They are built deliberately, audited regularly, and maintained by people who understand what the threat actually looks like.

If you want to know where your Microsoft 365 environment stands today, Book a Free Cybersecurity Strategy Call. It’s a 20-minute conversation – no sales pressure, no obligation.