How to stop malicious email forwarding in Outlook

Microsoft Office 365 administrators can use these settings to find and delete hidden rules attackers use to intercept Outlook email messages.

For years pundits have been saying that email is dying and won’t be used in business much longer. Yet email is still a key business tool, and it is also a key method for attackers to take over systems and credentials. Phishing, for example, is a huge problem and isn’t getting better.

One way Microsoft Office 365 administrators can defend against these email-enabled attacks that make hidden rules in Outlook to forward emails that would otherwise tip you off that your account has been taken over. This method is often used when the attacker wants to move funds out of a bank account. The verification emails that one normally gets from the bank are then set up via Outlook rules to be emailed to the attacker and then deleted.

Attackers have also used Outlook rules to trigger injection of a malicious application on the system by a triggering action. Microsoft’s Securing Office 365 blog has an excellent discussion of what attackers can do (and, in fact, do) through forwarding rules.

Steps to find and delete hidden Outlook forwarding rules

The first step is to check if any malicious forwarding rules are set up that you are not aware of. View the transport rules in Office 365 through the admin portal or use a PowerShell script to review what are rules set up. (Github is a great place to find Office 365 scripts like this one for easily checking rules.) Review any rules set that you didn’t make to see what the impact is to your organization and if a breach has already occurred.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!