Microsoft 365 Email Forwarding Rules Audit: How to Find Hidden Auto-Forward Rules Set by Compromised Accounts or Insider Threats

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Business email compromise attackers do not need to stay logged in. They log in once, set a forwarding rule, and walk away. Every email the victim sends or receives from that point forward goes to the attacker's external inbox. The victim sees nothing unusual. The attacker waits for a payment instruction, a wire transfer request, or credentials for a downstream system. Microsoft 365 stores forwarding rules in three separate locations, and checking only one gives you a false sense of coverage. This guide covers all three, with the exact commands to run.
Understanding the Three Rule Storage Locations
Microsoft 365 stores email forwarding configurations in three distinct locations, each requiring different tools to enumerate:
1. Inbox Rules (Exchange Online): Stored per-mailbox, managed via Get-InboxRule. These are the rules a user creates in Outlook or OWA under Settings > Rules. They can forward, redirect, or delete messages matching specific criteria.
2. OWA / Outlook on the Web Rules: Also stored per-mailbox, but created specifically through the OWA interface. In older Exchange environments, these were stored separately from MAPI inbox rules and could not be seen via Get-InboxRule in certain configurations. In modern Exchange Online, they share the same store, but the forwarding address configuration differs.
3. Exchange Transport Rules (Mail Flow Rules): Tenant-wide or scoped rules configured by admins at the organization level. Attackers who compromise a Global Admin or Exchange Admin account may create transport rules to silently BCC or redirect matching emails. These are more dangerous because they survive mailbox-level remediation and apply to multiple recipients.
A complete audit must check all three. Start with the Exchange Online PowerShell module.
Enumerating Inbox Rules Across All Mailboxes
Connect to Exchange Online PowerShell:
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Get all inbox rules for all mailboxes and filter for forwarding actions:
$allMailboxes = Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'}
$forwardingRules = foreach ($mailbox in $allMailboxes) {
Get-InboxRule -Mailbox $mailbox.Identity | Where-Object {
$_.ForwardTo -ne $null -or
$_.ForwardAsAttachmentTo -ne $null -or
$_.RedirectTo -ne $null
} | Select-Object @{N='Mailbox';E={$mailbox.UserPrincipalName}},
Name, ForwardTo, ForwardAsAttachmentTo, RedirectTo, Enabled
}
$forwardingRules | Export-Csv -Path "forwarding_rules_audit.csv" -NoTypeInformation
For large tenants (1000+ mailboxes), throttle the loop to avoid hitting Exchange Online rate limits:
$i = 0
foreach ($mailbox in $allMailboxes) {
if ($i++ % 50 -eq 0) { Start-Sleep -Seconds 2 }
Get-InboxRule -Mailbox $mailbox.Identity | Where-Object { $_.ForwardTo -or $_.RedirectTo } |
Select-Object @{N='Mailbox';E={$mailbox.UserPrincipalName}}, Name, ForwardTo, RedirectTo
}
Review the output for addresses outside your organization's accepted domains. Any forwarding to a Gmail, Yahoo, or unknown domain is an immediate high-priority finding.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Checking the Mailbox-Level ForwardingSmtpAddress Property
Inbox rules are not the only forwarding mechanism. Exchange Online also supports direct mailbox-level forwarding via the ForwardingSmtpAddress and ForwardingAddress properties on the mailbox object. These do not appear in Get-InboxRule output.
Enumerate all mailboxes with external forwarding enabled:
Get-Mailbox -ResultSize Unlimited | Where-Object {
$_.ForwardingSmtpAddress -ne $null -or
$_.ForwardingAddress -ne $null
} | Select-Object UserPrincipalName, ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward |
Export-Csv -Path "mailbox_forwarding_audit.csv" -NoTypeInformation
The DeliverToMailboxAndForward property is important. If this is $true, the original mailbox receives the email AND a copy goes to the forwarding address. Attackers prefer this setting because the user continues to receive their email normally, reducing the chance of discovery. If it is $false, email is redirected entirely and the user will notice missing emails.
To block forwarding address configuration at the mailbox level as a policy control:
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
Run this with caution in environments that use legitimate forwarding for shared mailboxes or CRM integrations. Audit first, then remediate selectively.
Auditing Exchange Transport Rules for Silent BCC
Transport rules operate at the organization level and require Exchange Admin or Global Admin to create. They are more dangerous than inbox rules because they can apply across all mailboxes and survive individual mailbox remediation.
Enumerate all transport rules with copy or redirect actions:
Get-TransportRule | Where-Object {
$_.BlindCopyTo -ne $null -or
$_.CopyTo -ne $null -or
$_.RedirectMessageTo -ne $null -or
$_.AddToRecipients -ne $null
} | Select-Object Name, BlindCopyTo, CopyTo, RedirectMessageTo, Priority, State |
Format-List
Look for rules that were created recently by accounts other than known admins. Check the creation date against your change management records:
Get-TransportRule | Select-Object Name, WhenChanged, WhenChangedUTC, ModifiedBy |
Sort-Object WhenChangedUTC -Descending | Format-Table -AutoSize
The ModifiedBy field shows which account last modified the rule. If you see a non-admin UPN that recently modified a transport rule, investigate immediately. This is a strong indicator of admin-level account compromise.
To block all auto-forwarding to external recipients at the transport layer (the recommended baseline control):
- In the Microsoft 365 Defender portal, go to Email and collaboration > Policies and rules > Threat policies > Anti-spam
- Open the default outbound spam policy
- Set Automatic forwarding to Off (Forwarding is disabled)
Building Ongoing Monitoring with Microsoft Sentinel or the Audit Log
One-time audits are not sufficient. Forwarding rules are often set within minutes of account compromise, faster than any manual detection cadence.
Enable Unified Audit Logging and alert on rule creation events. The key operation names to monitor in the audit log:
New-InboxRule(forwarding rule created)Set-InboxRule(existing rule modified to add forwarding)Set-Mailbox(ForwardingSmtpAddress or ForwardingAddress changed)New-TransportRule(transport rule created)
Query the audit log via PowerShell:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
-Operations "New-InboxRule","Set-InboxRule" `
-ResultSize 5000 |
Select-Object UserIds, CreationDate, Operations,
@{N='RuleDetails';E={$_.AuditData | ConvertFrom-Json | Select-Object -ExpandProperty Parameters}} |
Export-Csv -Path "inbox_rule_events_30days.csv" -NoTypeInformation
In Microsoft Sentinel, use the OfficeActivity table:
OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule")
| where UserId !in~ (known_admin_accounts)
| extend RuleName = tostring(parse_json(Parameters)[0].Value)
| extend ForwardTo = tostring(parse_json(Parameters)[?Name == "ForwardTo"].Value)
| where ForwardTo !endswith "@yourdomain.com"
| project TimeGenerated, UserId, RuleName, ForwardTo, ClientIPAddress
| order by TimeGenerated desc
Alert on any rule creation that forwards to an external domain and was created outside business hours or from an IP not in your corporate egress range.
The bottom line
Email forwarding rules are the silent persistence mechanism of BEC attacks. A one-time check is not enough. Block automatic external forwarding at the transport policy level as a baseline control, enumerate all three storage locations during incident investigations, and set up alert rules for inbox rule creation events in your SIEM. Detecting forwarding rule creation within minutes rather than days is the difference between containing a BEC incident and paying a fraudulent wire transfer.
Frequently asked questions
Can users create forwarding rules without IT knowing about it?
Yes, by default. Any user can create inbox rules in Outlook or OWA that forward their email externally, and these rules are not blocked by default in M365. To prevent this, configure the outbound spam policy to disable automatic forwarding. This blocks auto-forwarding but does not affect manual forwarding (user clicking Forward on a specific email). For granular control, use transport rules to block auto-forward from specific groups while allowing it for others.
How do I tell if a forwarding rule was set by the legitimate user or by an attacker?
Check the creation timestamp against the user's sign-in risk history in Entra ID. If the rule was created from an unusual IP address, at an unusual time, or within the same session as a high-risk or unfamiliar sign-in event, treat it as attacker-created. Also check the destination address: legitimate forwarding is usually to a personal account of the same person, a colleague, or a CRM system. Forwarding to generic Gmail addresses, lookalike domains, or address patterns from known BEC infrastructure are red flags.
Does disabling external forwarding break any legitimate use cases?
Yes, in some organizations. Common legitimate forwarding scenarios include: executives who forward work email to personal accounts while traveling, shared mailboxes that forward to an external ticketing system (Zendesk, Freshdesk), and CRM integrations that use BCC or forwarding rules to log emails. Audit all existing forwarding before applying a block policy. Use the output of the mailbox-level forwarding audit to identify every forwarding address, verify each one with the account owner or their manager, and grant explicit exceptions before enforcing the policy.
What should I check first when investigating a suspected BEC compromise?
In order: check the account's sign-in history in Entra ID sign-in logs for unfamiliar IP/location, run Get-InboxRule and check the mailbox-level ForwardingSmtpAddress, check whether any app registrations or OAuth apps were consented to (illicit consent grant attack), check the Unified Audit Log for mail send events from unusual IP addresses, and check whether the account was added to any distribution lists or given Send As permissions on other mailboxes.
How do I create an audit log of all mail forwarding changes in Exchange Online?
Search the Unified Audit Log for Set-Mailbox operations that change ForwardingSmtpAddress or ForwardingAddress, and for New-InboxRule and Set-InboxRule operations that include forwarding-related action keywords. Use the Exchange Admin Center or run Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations 'Set-Mailbox','New-InboxRule','Set-InboxRule'. For continuous monitoring, configure a Microsoft Sentinel analytics rule or a Defender for Office 365 custom detection that alerts any time a forwarding action is set on a mailbox, with the initiating user and IP address included in the alert.
What is the difference between inbox rules and transport rules for email forwarding risk?
Inbox rules are created by end users within their own mailbox (via Outlook or OWA) and forward or redirect messages based on conditions the user defines. They are visible to admins via Get-InboxRule but are configured by users without admin involvement. Transport rules (mail flow rules) are admin-configured Exchange Online rules that apply organization-wide and can redirect or copy messages based on sender, recipient, or content patterns. Both carry exfiltration risk. Attackers who compromise a user account typically create inbox rules for stealthy forwarding. Admins who misconfigure transport rules can cause wholesale message leakage. Audit both independently: Get-InboxRule for per-mailbox rules and Get-TransportRule for organization-level rules.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
