Microsoft Office 365 administrators can use these settings to find and delete hidden rules attackers use to intercept Outlook email messages. Credit: Thinkstock For years pundits have been saying that email is dying and won’t be used in business much longer. Yet email is still a key business tool, and it is also a key method for attackers to take over systems and credentials. Phishing, for example, is a huge problem and isn’t getting better.One way Microsoft Office 365 administrators can defend against these email-enabled attacks that make hidden rules in Outlook to forward emails that would otherwise tip you off that your account has been taken over. This method is often used when the attacker wants to move funds out of a bank account. The verification emails that one normally gets from the bank are then set up via Outlook rules to be emailed to the attacker and then deleted.Attackers have also used Outlook rules to trigger injection of a malicious application on the system by a triggering action. Microsoft’s Securing Office 365 blog has an excellent discussion of what attackers can do (and, in fact, do) through forwarding rules.Steps to find and delete hidden Outlook forwarding rulesThe first step is to check if any malicious forwarding rules are set up that you are not aware of. View the transport rules in Office 365 through the admin portal or use a PowerShell script to review what are rules set up. (Github is a great place to find Office 365 scripts like this one for easily checking rules.) Review any rules set that you didn’t make to see what the impact is to your organization and if a breach has already occurred. I recommend that you disable forwarding rules to ensure that attackers can’t make silent rules to move emails without you knowing about it. This also ensures that information can’t “leak” through email and sensitive information be emailed outside of the organization automatically.Use PowerShell to disable email forwarding rules, or use the Office 365 Secure Score website to set more secure settings in your Office 365. You need to log into the site with administrator credentials to review what security settings you can make to secure your email. In the example Office 365 subscription below where I have taken no initial actions, I have a very low score of 74 points indicating a very insecure deployment. We are going to disable email forwarding rules as a first security step. MicrosoftSecure Score of Office 365Log into the Office Secure Score website and scroll down. You will find several actions to take. For this first action, I’m choosing “Block Client Forwarding Rules”. MicrosoftSection to disable client-forwarding rulesThis vector has been used to relay out sensitive information—for example, bank transfer notifications where the attackers don’t want you to know that they have taken over banking credentials and are transferring out funds. Click on “Learn more,” and then “Apply” to set the rule in place. MicrosoftClick “Apply” to set the ruleOnce the rule is set, you can select “More” (shown above) to see the resulting action in place. The resulting rule will be branded as set by the Secure Score module so you can track what action enabled the rule and when the rule was enabled. When email is rejected, a notice will be sent to the sender so that they know that actions are being taken by the mail system. MicrosoftResulting ruleThis rule prevents data leakage and ensures that information and sensitive data will not be abused by attackers. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Network Security Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe