• United States



Contributing Writer

How to stop malicious email forwarding in Outlook

Dec 12, 20183 mins
SecuritySmall and Medium BusinessWindows

Microsoft Office 365 administrators can use these settings to find and delete hidden rules attackers use to intercept Outlook email messages.

email security risk - phishing / malware
Credit: Thinkstock

For years pundits have been saying that email is dying and won’t be used in business much longer. Yet email is still a key business tool, and it is also a key method for attackers to take over systems and credentials. Phishing, for example, is a huge problem and isn’t getting better.

One way Microsoft Office 365 administrators can defend against these email-enabled attacks that make hidden rules in Outlook to forward emails that would otherwise tip you off that your account has been taken over. This method is often used when the attacker wants to move funds out of a bank account. The verification emails that one normally gets from the bank are then set up via Outlook rules to be emailed to the attacker and then deleted.

Attackers have also used Outlook rules to trigger injection of a malicious application on the system by a triggering action. Microsoft’s Securing Office 365 blog has an excellent discussion of what attackers can do (and, in fact, do) through forwarding rules.

Steps to find and delete hidden Outlook forwarding rules

The first step is to check if any malicious forwarding rules are set up that you are not aware of. View the transport rules in Office 365 through the admin portal or use a PowerShell script to review what are rules set up. (Github is a great place to find Office 365 scripts like this one for easily checking rules.) Review any rules set that you didn’t make to see what the impact is to your organization and if a breach has already occurred.

I recommend that you disable forwarding rules to ensure that attackers can’t make silent rules to move emails without you knowing about it. This also ensures that information can’t “leak” through email and sensitive information be emailed outside of the organization automatically.

Use PowerShell to disable email forwarding rules, or use the Office 365 Secure Score website to set more secure settings in your Office 365. You need to log into the site with administrator credentials to review what security settings you can make to secure your email.

In the example Office 365 subscription below where I have taken no initial actions, I have a very low score of 74 points indicating a very insecure deployment. We are going to disable email forwarding rules as a first security step.

bradley email forward 1 Microsoft

Secure Score of Office 365

Log into the Office Secure Score website and scroll down. You will find several actions to take. For this first action, I’m choosing “Block Client Forwarding Rules”.

bradley email forward 2 Microsoft

Section to disable client-forwarding rules

This vector has been used to relay out sensitive information—for example, bank transfer notifications where the attackers don’t want you to know that they have taken over banking credentials and are transferring out funds. Click on “Learn more,” and then “Apply” to set the rule in place.

bradley email forward 3 Microsoft

Click “Apply” to set the rule

Once the rule is set, you can select “More” (shown above) to see the resulting action in place. The resulting rule will be branded as set by the Secure Score module so you can track what action enabled the rule and when the rule was enabled. When email is rejected, a notice will be sent to the sender so that they know that actions are being taken by the mail system.

bradley email forward 4 Microsoft

Resulting rule

This rule prevents data leakage and ensures that information and sensitive data will not be abused by attackers.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author