After I finished the recent PowerShell script to check for Exchange style mailbox forwards I received some motivate from Robert Pearman to develop a script to also go and check what the Outlook rules are doing for Office 365 mailboxes.
Taking what Robert provided I decided to extend my initial script to report on what I consider suspect Outlook mail rules. Here’s my thinking:
- Firstly there are going to potentially be lots and lots of Outlook rules when you look across all mailboxes in Office 365, so I decided to focus on actions that one could deem to more suspicious than others. I settled on the following rule actions as ones to check: forward to, redirect to, copy to folder, delete message, forward as attachment to and send text message notification to.
- Turns out you can create an Outlook rule that forwards, redirects and fowards as an attachment messages to alternate email addresses. A bad party could set this up to send themselves emails from a compromised mailbox.
- If a rule copies rather than moves a message then that to me is also suspicious. Why would you want two copies of the same email message in different locations in your inbox unless you aren’t in full full control of the inbox and someone is squirrelling away messages to a location the owner never created?
- If a rule deletes a message then there is a chance that a bad actor is trying to prevent the mailbox owner from seeing something.
- If a rule notifies someone via SMS that may be the fingerprint of a bad actor trying to keep tabs on a mailbox.
I will also admit, that there are plenty of situations where the above situations are the results of legitimately configured inbox rules. However, for the reasons I have indicated, I believe the actions to warrant the most inspection.
As you can see from the above image, the script will do what it did before and check the mailbox rules to see if there are any forwardings as before but now the script will also dig through each mailbox and throw up warnings when a suspect rule is enabled or disabled for a user.
Once you have located any suspect rules, you can then start digging further to see whether there is a business justification for such. If not, then you may have a compromised mailbox on your hands.
You’ll find the updated script at:
and remember to keep coming back as I’ll continue to update and extend it over time. if you have any feedback on this script of suggestion for things you’d like to see please let me know so I can look at developing them. Thanks again to Robert Pearman for this input on this.