PRACTITIONER GUIDE | EMAIL SECURITY
Practitioner GuideUpdated 11 min read

Microsoft 365 Email Forwarding Rules Audit: How to Find Hidden Auto-Forward Rules Set by Compromised Accounts or Insider Threats

$2.9B
in BEC losses reported to the FBI IC3 in 2023
62%
of BEC attacks establish an inbox forwarding rule as a persistence mechanism within the first hour of account access
14 days
median dwell time before a forwarding rule is detected in M365 environments without automated monitoring
3
separate rule storage locations in M365 that must all be checked: inbox rules, OWA rules, and transport rules

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Business email compromise attackers do not need to stay logged in. They log in once, set a forwarding rule, and walk away. Every email the victim sends or receives from that point forward goes to the attacker's external inbox. The victim sees nothing unusual. The attacker waits for a payment instruction, a wire transfer request, or credentials for a downstream system. Microsoft 365 stores forwarding rules in three separate locations, and checking only one gives you a false sense of coverage. This guide covers all three, with the exact commands to run.

Understanding the Three Rule Storage Locations

Microsoft 365 stores email forwarding configurations in three distinct locations, each requiring different tools to enumerate:

1. Inbox Rules (Exchange Online): Stored per-mailbox, managed via Get-InboxRule. These are the rules a user creates in Outlook or OWA under Settings > Rules. They can forward, redirect, or delete messages matching specific criteria.

2. OWA / Outlook on the Web Rules: Also stored per-mailbox, but created specifically through the OWA interface. In older Exchange environments, these were stored separately from MAPI inbox rules and could not be seen via Get-InboxRule in certain configurations. In modern Exchange Online, they share the same store, but the forwarding address configuration differs.

3. Exchange Transport Rules (Mail Flow Rules): Tenant-wide or scoped rules configured by admins at the organization level. Attackers who compromise a Global Admin or Exchange Admin account may create transport rules to silently BCC or redirect matching emails. These are more dangerous because they survive mailbox-level remediation and apply to multiple recipients.

A complete audit must check all three. Start with the Exchange Online PowerShell module.

Enumerating Inbox Rules Across All Mailboxes

Connect to Exchange Online PowerShell:

Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Get all inbox rules for all mailboxes and filter for forwarding actions:

$allMailboxes = Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'}

$forwardingRules = foreach ($mailbox in $allMailboxes) {
    Get-InboxRule -Mailbox $mailbox.Identity | Where-Object {
        $_.ForwardTo -ne $null -or
        $_.ForwardAsAttachmentTo -ne $null -or
        $_.RedirectTo -ne $null
    } | Select-Object @{N='Mailbox';E={$mailbox.UserPrincipalName}},
        Name, ForwardTo, ForwardAsAttachmentTo, RedirectTo, Enabled
}

$forwardingRules | Export-Csv -Path "forwarding_rules_audit.csv" -NoTypeInformation

For large tenants (1000+ mailboxes), throttle the loop to avoid hitting Exchange Online rate limits:

$i = 0
foreach ($mailbox in $allMailboxes) {
    if ($i++ % 50 -eq 0) { Start-Sleep -Seconds 2 }
    Get-InboxRule -Mailbox $mailbox.Identity | Where-Object { $_.ForwardTo -or $_.RedirectTo } |
    Select-Object @{N='Mailbox';E={$mailbox.UserPrincipalName}}, Name, ForwardTo, RedirectTo
}

Review the output for addresses outside your organization's accepted domains. Any forwarding to a Gmail, Yahoo, or unknown domain is an immediate high-priority finding.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Checking the Mailbox-Level ForwardingSmtpAddress Property

Inbox rules are not the only forwarding mechanism. Exchange Online also supports direct mailbox-level forwarding via the ForwardingSmtpAddress and ForwardingAddress properties on the mailbox object. These do not appear in Get-InboxRule output.

Enumerate all mailboxes with external forwarding enabled:

Get-Mailbox -ResultSize Unlimited | Where-Object {
    $_.ForwardingSmtpAddress -ne $null -or
    $_.ForwardingAddress -ne $null
} | Select-Object UserPrincipalName, ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward |
Export-Csv -Path "mailbox_forwarding_audit.csv" -NoTypeInformation

The DeliverToMailboxAndForward property is important. If this is $true, the original mailbox receives the email AND a copy goes to the forwarding address. Attackers prefer this setting because the user continues to receive their email normally, reducing the chance of discovery. If it is $false, email is redirected entirely and the user will notice missing emails.

To block forwarding address configuration at the mailbox level as a policy control:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false

Run this with caution in environments that use legitimate forwarding for shared mailboxes or CRM integrations. Audit first, then remediate selectively.

Auditing Exchange Transport Rules for Silent BCC

Transport rules operate at the organization level and require Exchange Admin or Global Admin to create. They are more dangerous than inbox rules because they can apply across all mailboxes and survive individual mailbox remediation.

Enumerate all transport rules with copy or redirect actions:

Get-TransportRule | Where-Object {
    $_.BlindCopyTo -ne $null -or
    $_.CopyTo -ne $null -or
    $_.RedirectMessageTo -ne $null -or
    $_.AddToRecipients -ne $null
} | Select-Object Name, BlindCopyTo, CopyTo, RedirectMessageTo, Priority, State |
Format-List

Look for rules that were created recently by accounts other than known admins. Check the creation date against your change management records:

Get-TransportRule | Select-Object Name, WhenChanged, WhenChangedUTC, ModifiedBy |
Sort-Object WhenChangedUTC -Descending | Format-Table -AutoSize

The ModifiedBy field shows which account last modified the rule. If you see a non-admin UPN that recently modified a transport rule, investigate immediately. This is a strong indicator of admin-level account compromise.

To block all auto-forwarding to external recipients at the transport layer (the recommended baseline control):

  1. In the Microsoft 365 Defender portal, go to Email and collaboration > Policies and rules > Threat policies > Anti-spam
  2. Open the default outbound spam policy
  3. Set Automatic forwarding to Off (Forwarding is disabled)

Building Ongoing Monitoring with Microsoft Sentinel or the Audit Log

One-time audits are not sufficient. Forwarding rules are often set within minutes of account compromise, faster than any manual detection cadence.

Enable Unified Audit Logging and alert on rule creation events. The key operation names to monitor in the audit log:

  • New-InboxRule (forwarding rule created)
  • Set-InboxRule (existing rule modified to add forwarding)
  • Set-Mailbox (ForwardingSmtpAddress or ForwardingAddress changed)
  • New-TransportRule (transport rule created)

Query the audit log via PowerShell:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
    -Operations "New-InboxRule","Set-InboxRule" `
    -ResultSize 5000 |
Select-Object UserIds, CreationDate, Operations,
    @{N='RuleDetails';E={$_.AuditData | ConvertFrom-Json | Select-Object -ExpandProperty Parameters}} |
Export-Csv -Path "inbox_rule_events_30days.csv" -NoTypeInformation

In Microsoft Sentinel, use the OfficeActivity table:

OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule")
| where UserId !in~ (known_admin_accounts)
| extend RuleName = tostring(parse_json(Parameters)[0].Value)
| extend ForwardTo = tostring(parse_json(Parameters)[?Name == "ForwardTo"].Value)
| where ForwardTo !endswith "@yourdomain.com"
| project TimeGenerated, UserId, RuleName, ForwardTo, ClientIPAddress
| order by TimeGenerated desc

Alert on any rule creation that forwards to an external domain and was created outside business hours or from an IP not in your corporate egress range.

The bottom line

Email forwarding rules are the silent persistence mechanism of BEC attacks. A one-time check is not enough. Block automatic external forwarding at the transport policy level as a baseline control, enumerate all three storage locations during incident investigations, and set up alert rules for inbox rule creation events in your SIEM. Detecting forwarding rule creation within minutes rather than days is the difference between containing a BEC incident and paying a fraudulent wire transfer.

Frequently asked questions

Can users create forwarding rules without IT knowing about it?

Yes, by default. Any user can create inbox rules in Outlook or OWA that forward their email externally, and these rules are not blocked by default in M365. To prevent this, configure the outbound spam policy to disable automatic forwarding. This blocks auto-forwarding but does not affect manual forwarding (user clicking Forward on a specific email). For granular control, use transport rules to block auto-forward from specific groups while allowing it for others.

How do I tell if a forwarding rule was set by the legitimate user or by an attacker?

Check the creation timestamp against the user's sign-in risk history in Entra ID. If the rule was created from an unusual IP address, at an unusual time, or within the same session as a high-risk or unfamiliar sign-in event, treat it as attacker-created. Also check the destination address: legitimate forwarding is usually to a personal account of the same person, a colleague, or a CRM system. Forwarding to generic Gmail addresses, lookalike domains, or address patterns from known BEC infrastructure are red flags.

Does disabling external forwarding break any legitimate use cases?

Yes, in some organizations. Common legitimate forwarding scenarios include: executives who forward work email to personal accounts while traveling, shared mailboxes that forward to an external ticketing system (Zendesk, Freshdesk), and CRM integrations that use BCC or forwarding rules to log emails. Audit all existing forwarding before applying a block policy. Use the output of the mailbox-level forwarding audit to identify every forwarding address, verify each one with the account owner or their manager, and grant explicit exceptions before enforcing the policy.

What should I check first when investigating a suspected BEC compromise?

In order: check the account's sign-in history in Entra ID sign-in logs for unfamiliar IP/location, run Get-InboxRule and check the mailbox-level ForwardingSmtpAddress, check whether any app registrations or OAuth apps were consented to (illicit consent grant attack), check the Unified Audit Log for mail send events from unusual IP addresses, and check whether the account was added to any distribution lists or given Send As permissions on other mailboxes.

How do I create an audit log of all mail forwarding changes in Exchange Online?

Search the Unified Audit Log for Set-Mailbox operations that change ForwardingSmtpAddress or ForwardingAddress, and for New-InboxRule and Set-InboxRule operations that include forwarding-related action keywords. Use the Exchange Admin Center or run Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations 'Set-Mailbox','New-InboxRule','Set-InboxRule'. For continuous monitoring, configure a Microsoft Sentinel analytics rule or a Defender for Office 365 custom detection that alerts any time a forwarding action is set on a mailbox, with the initiating user and IP address included in the alert.

What is the difference between inbox rules and transport rules for email forwarding risk?

Inbox rules are created by end users within their own mailbox (via Outlook or OWA) and forward or redirect messages based on conditions the user defines. They are visible to admins via Get-InboxRule but are configured by users without admin involvement. Transport rules (mail flow rules) are admin-configured Exchange Online rules that apply organization-wide and can redirect or copy messages based on sender, recipient, or content patterns. Both carry exfiltration risk. Attackers who compromise a user account typically create inbox rules for stealthy forwarding. Admins who misconfigure transport rules can cause wholesale message leakage. Audit both independently: Get-InboxRule for per-mailbox rules and Get-TransportRule for organization-level rules.

Sources & references

  1. Microsoft: Block external email forwarding in Microsoft 365
  2. CISA: Business Email Compromise Guide
  3. Microsoft: Get-InboxRule PowerShell reference
  4. Microsoft: Detect and remediate illicit consent grants in Office 365

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.