Offcanvas Logo

Menu

  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us

Contact us

  • 1 Executive Dr Suite 100 #123 Marlton NJ 08053
  • 856-282-4100
  • info@xitx.com

Menu

  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us

Contact Us

  • 1 Executive Dr Suite 100 #123 Marlton NJ 08053
  • 856-282-4100
  • info@xitx.com

info@xitx.com
856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Xact IT Solutions
Let’s Talk
  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us
Xact IT Solutions
  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us
Let’s Talk

Inbox Rule Manipulation: How Attackers Quietly Drain Microsoft 365 Accounts Weeks Before You Know You’ve Been Hit

Inbox Rule Manipulation: How Attackers Quietly Drain Microsoft 365 Accounts Weeks Before You Know You’ve Been Hit

Most small business owners never see this attack coming — and most IT firms aren’t actively watching for it. An attacker gets into a Microsoft 365 account, makes no noise, and creates a few invisible forwarding rules. Those rules start pulling your business intelligence out of your inbox immediately. No alarm fires. No password changes. No files get encrypted. You log in every morning, read your email, and have no idea that every invoice, contract negotiation, and wire transfer confirmation is also landing in an attacker-controlled mailbox somewhere else in the world. By the time the fraud hits or the ransomware deploys, the attacker has already been inside your environment for weeks — sometimes months — running quietly through malicious inbox rules.

How inbox rule manipulation silently exfiltrates email data from Microsoft 365 accounts.
  1. What Is Inbox Rule Manipulation and Why Does It Work So Well
  2. The Reconnaissance Phase: What Attackers Are Actually Harvesting
  3. What 2024 and 2025 Incident Response Data Reveals About Dwell Time
  4. Real-World Incident Patterns at Small Businesses
  5. What CISA and the FBI Have Said About This Technique
  6. Why Standard Defenses Miss It
  7. A Realistic Defense Posture for Small and Mid-Sized Organizations
  8. What to Ask Your IT Firm Right Now

What Is Inbox Rule Manipulation and Why Does It Work So Well

Microsoft 365 gives every user the ability to create inbox rules that automatically sort, forward, delete, or redirect incoming mail. These rules are a legitimate productivity feature. They are also a near-perfect exfiltration tool for any attacker who has obtained valid credentials.

Once an attacker authenticates to an account — through a phishing link, a credential-stuffing attack, or credentials purchased from a dark web marketplace — they can create forwarding rules in under two minutes. The rules require no elevated permissions. They run silently inside the user’s own account. Critically, they survive a password reset if the IT team resets the password without also auditing and removing the rules.

Common configurations attackers use in these campaigns include:

  • Forwarding all mail matching keywords like “invoice,” “wire,” “payment,” or “bank” to an external address
  • Forwarding all mail from specific high-value senders — the CFO, an outside law firm, a major customer — to an attacker-controlled account
  • Automatically deleting security alert emails or IT notifications before the user ever sees them
  • Moving flagged emails to an obscure subfolder the user never monitors, where the attacker reads them via a separate login without disrupting the user’s view

The attacker is not trying to cause an immediate incident. They are learning the business well enough to impersonate it convincingly, time a wire fraud request at exactly the right moment, or identify the right entry point for a broader network compromise.

The Reconnaissance Phase: What Attackers Are Actually Harvesting

inbox rule manipulation — Wide shot of a dimly lit server room or network infrastructure with cables and blinking lights, photographed at an angled perspective to convey hidden backend access and silent data exfiltration occurring out of sight.

The weeks or months of silent access that inbox rule manipulation enables are not idle time. Incident responders who have reconstructed these intrusions consistently find that attackers are building a detailed picture of the target organization before they act.

During the pre-attack phase, attackers are specifically collecting:

  • The names, titles, and email patterns of executives, finance personnel, and legal contacts
  • Existing bank relationships, account numbers visible in statements, and wire transfer approval processes
  • Active contracts, vendor relationships, and pending transactions large enough to justify a fraudulent payment request
  • The writing style and vocabulary of specific individuals — then used to craft convincing impersonation emails
  • Any multi-factor authentication or IT security details discussed over email, which helps attackers plan around your defenses
  • Travel schedules and organizational absences, exploited to time fraud attempts when the usual approver is unavailable

This is not opportunistic smash-and-grab. This is targeted business intelligence collection. The attacker is building a case file on your organization. When they finally act — whether through a fraudulent wire transfer request, a vendor impersonation scheme, or a ransomware deployment — the attack is informed by weeks of real organizational data. That is what makes this email compromise technique so effective and so difficult to detect after the fact.

What 2024 and 2025 Incident Response Data Reveals About Dwell Time

Dwell time is the gap between initial compromise and detection. For cloud email intrusions involving inbox rule manipulation, the numbers from recent incident response data are troubling.

The FBI’s 2023 Internet Crime Report, released in 2024, put Business Email Compromise losses at over $2.9 billion for that year alone — the highest-loss category in their data. The FBI notes that actual losses run significantly higher because many incidents go unreported or are discovered too late to recover funds.

Microsoft’s 2024 Digital Defense Report found that attackers are increasingly dwelling inside compromised cloud identities for extended periods before triggering any visible attack behavior. The report specifically called out inbox rules and delegated mailbox access as the primary persistence mechanisms in email compromise campaigns.

Mandiant’s M-Trends 2025 report, covering incident response data from calendar year 2024, showed a global median dwell time of 11 days across all intrusion types. For cloud identity compromises at small and mid-sized organizations, responders noted substantially longer undetected periods — these organizations typically lack the logging infrastructure to catch low-and-slow reconnaissance activity.

The pattern from 2024 and 2025 incident data is consistent: at small businesses without active cloud identity monitoring, these intrusions routinely go undetected for 30 to 90 days. Some incidents reconstructed by responders showed attacker access persisting for over six months before a downstream fraud event triggered any investigation at all.

Real-World Incident Patterns at Small Businesses

Published incident reports and regulatory filings describe the same email rule exploitation playbook with enough consistency to treat it as a documented pattern, not a series of isolated events.

  • A professional services firm with under 50 employees discovered that a finance department mailbox had been silently forwarding all inbound mail to an external Gmail address for 47 days. The attacker used that access to monitor a pending real estate transaction, then submitted a fraudulent wire change request. The $340,000 wire was not recovered.
  • A healthcare administrative organization found that three separate Microsoft 365 accounts had been compromised through a single phishing campaign. Forwarding rules had been created in all three. The attacker used the collected information to craft a vendor impersonation email that passed internal scrutiny because it referenced real invoice numbers from real vendors.
  • A legal services firm under 30 employees experienced a ransomware deployment that post-incident forensics traced back to an initial credential compromise 68 days earlier. During that window, the attacker had used covert email forwarding rules to read ongoing client matter communications and had silently added a forwarding address to the managing partner’s account. The ransomware was the second-stage event. The exfiltration had already happened.

None of these organizations made obvious security mistakes. They had standard spam filtering. Some had multi-factor authentication deployed on some accounts. What they lacked was active monitoring of inbox rule creation and modification events inside their cloud email environment.

What CISA and the FBI Have Said About Inbox Rule Manipulation

This is not a theoretical or emerging threat. Both CISA and the FBI have published specific guidance documenting inbox rule manipulation as a primary persistence and exfiltration technique in cloud email compromises.

CISA advisory AA23-040A, published in coordination with the FBI and NSA, explicitly identified the creation of mail forwarding rules and inbox rules as a primary technique used by threat actors targeting Microsoft 365 and Google Workspace environments. The advisory specifically warned that these rules are often created shortly after initial access and persist even after a password reset if not directly remediated. You can review that advisory at CISA.gov.

The FBI’s Internet Crime Complaint Center has repeatedly flagged email compromise schemes that begin with a cloud credential compromise followed by a period of silent monitoring enabled by attacker-created forwarding rules. Their published guidance states that any unexplained inbox rule creation should be treated as an incident indicator requiring immediate investigation.

Microsoft itself has documented this attack pattern in its threat intelligence publications and recommends specific audit log events that organizations should monitor. The relevant events in the Microsoft 365 Unified Audit Log include Set-Mailbox with forwarding parameters, New-InboxRule, Set-InboxRule, and UpdateInboxRules, among others. Microsoft’s guidance on securing cloud email is available at Microsoft Security.

Why Standard Defenses Miss Inbox Rule Manipulation

Most small businesses victimized by this technique were not unprotected in any obvious sense. They had anti-spam filtering, antivirus on endpoints, and sometimes multi-factor authentication. The attack succeeds because it exploits the gap between having basic protections and actively monitoring account behavior inside the cloud environment itself.

Here is why each standard defense layer fails to catch it:

  • Anti-spam and email filtering tools analyze inbound message content. They do not monitor configuration changes an authenticated user makes after login. A forwarding rule is not a malicious email — it is a setting change made by what appears to be the legitimate account owner.
  • Endpoint detection tools watch for malicious code executing on devices. This attack happens entirely inside the Microsoft 365 cloud. No malicious code ever touches a laptop or workstation.
  • Multi-factor authentication protects the login event. Once an attacker has authenticated — through a session token theft, a phishing proxy that captures the session after the user completes their login, or a one-time code obtained through social engineering — MFA provides no protection against what happens inside that authenticated session.
  • Microsoft 365 default configurations do not alert administrators when a user creates or modifies inbox rules. Audit logging must be actively enabled, retained long enough to be useful, and monitored against behavioral baselines. Most small business Microsoft 365 tenants are not configured this way.

The gap is not a product gap. The tools exist. The gap is in whether those tools are configured, monitored, and acted upon. That is an operations problem, not a software problem. Learn more about how a proactive cybersecurity program closes these gaps before an attacker finds them, and see how ongoing monitoring works through our managed IT services.

A Realistic Defense Posture for Small and Mid-Sized Organizations

Closing the detection gap around unauthorized email rules does not require enterprise-scale tooling or a large internal IT team. It requires intentional environment configuration and active monitoring of a specific set of behavioral signals.

The foundational controls that directly address this threat are:

  • Enable and retain Microsoft 365 Unified Audit Log data for a minimum of 90 days, with 180 days preferred. Without this log data, reconstructing an intrusion is either incomplete or impossible.
  • Configure alerts for inbox rule creation and modification events — particularly rules that include external forwarding addresses or that auto-delete emails from IT or security senders.
  • Block automatic external email forwarding at the tenant level using Microsoft 365 outbound spam policies. This closes one of the most common exfiltration paths immediately without disrupting internal routing.
  • Deploy phishing-resistant multi-factor authentication where possible. Standard SMS-based MFA reduces risk but does not protect against phishing proxies that capture authenticated sessions — which is the primary credential bypass method in current email compromise campaigns.
  • Conduct periodic reviews of all inbox rules across the tenant, not just accounts flagged in a known incident. Attacker-created rules often survive for months after an initial incident is “resolved” because remediation stopped at the password reset.
  • Define a clear response process for when a suspicious rule is detected. Detection without a defined response plan means delayed action — and that is how 47-day intrusions become 90-day intrusions.

None of these controls require exotic tooling. All of them require someone to own the process, configure it correctly, and monitor it consistently. That operational consistency is exactly where most small business environments break down.

What to Ask Your IT Firm Right Now

If you have an IT provider managing your Microsoft 365 environment, these questions are not hypothetical. They are diagnostic. The answers will tell you quickly whether your environment is being monitored at the level this threat requires.

  • Is our Microsoft 365 Unified Audit Log enabled, and how long are we retaining that data?
  • Do you have alerts configured to notify your team when any user creates or modifies an inbox rule that includes an external forwarding address?
  • Have you reviewed all existing inbox rules across our tenant in the last 90 days?
  • Is automatic external email forwarding blocked at the tenant policy level, or is it controlled only by individual user settings?
  • If a credential compromise happened today and the attacker created forwarding rules this morning, how quickly would your team detect it?
  • When a suspicious rule is discovered, what happens in the first hour — and who owns that response?

If the answers are uncertain, vague, or followed by a promise to look into it, that is the real finding. The threat is documented, the technique is understood, and the detection methods exist. The only remaining question is whether someone has actually implemented them in your environment.

Inbox rule manipulation succeeds not because it is sophisticated but because it is quiet. It does not look like an attack. It looks like a configuration change made by a legitimate user inside a legitimate account. The organizations that catch it early are the ones whose IT partners have defined what normal looks like in their cloud environment and built alerting around anything that deviates from that baseline. That deliberate, ongoing monitoring is the difference between discovering an intrusion before the wire goes out — and discovering it after the funds are gone.

If you want to know whether your Microsoft 365 environment has the right controls in place, Book a Free Cybersecurity Strategy Call. It’s a 20-minute conversation with our team — no pressure, no obligation.

Want a Walkthrough of Your Own Setup?

Twenty minutes on the phone with our team gets you specific recommendations you can use immediately — whether you hire us or not. No pitch, no pressure, just an honest read on where your business stands.

Book a Free Strategy Call

Recent Posts

  • IT Services Subcontractor Clauses: Who Is Actually Inside Your Systems?
  • AI Proposal Writing for Small Business: Build a Send-Ready Client Proposal in Under 30 Minutes
  • IT Escalation Path: How to Tell a Real Process From a Verbal Promise
  • Session Token Theft: How Attackers Are Walking Past MFA in 2025
  • AI Account Summary: Stop Losing Client Context Between Meetings

Categories

  • AI for Business
  • Backup & Recovery
  • Blog
  • Business
  • Buyer Guides
  • CMMC
  • Compliance
  • Cybersecurity
  • Healthcare
  • Managed IT
  • News & Analysis
  • Threat Intelligence

Share

FRUSTRATED WITH YOUR CURRENT IT PROVIDER? LET’S TALK.

Get a Free IT Consultation
Xact IT Solutions
  • info@xitx.com
  • +1 856-282-4100
  • 1 Executive Drive Suite 100 Marlton NJ 08053

Follow Us

Quick Links
  • Home
  • Partner Program
  • Why Choose Xact IT Solutions | Xact IT Solutions
  • Contact
Services
  • IT Support
  • Cybersecurity Services for SMBs | Xact IT Solutions
  • IT Compliance
Recent Blogs
  • Supply-Chain Ransomware Attack Impacts 60 Credit Unions
  • Comcast Xfinity Data Breach Exposes 36 Million Customers’ Data
  • Crown Equipment’s Cyberattack: Recovery and Lessons Learned
Copyright © 2026. Website Design by Xact IT Solutions
  • Privacy Policy and Terms & Conditions
  • Home
  • Partner Program
  • Why Choose Xact IT Solutions | Xact IT Solutions
  • Contact