How to Audit Mailbox Rules and Delegations

Here's a scenario that plays out constantly: an attacker compromises someone's email account—usually through a phishing email. They don't just read emails. They create inbox rules that silently forward specific messages to an external address.

Rules like: "Move any email with 'invoice', 'payment', or 'bank' to Deleted Items." Or: "Forward all new emails to attacker123@gmail.com." The account owner doesn't notice. Meanwhile, the attacker receives copies of every invoice, every payment notification, every sensitive communication.

This is mailbox rules abuse. It's a common post-compromise technique. Here's how to audit for it.

Why This Matters

Data Exfiltration If an attacker has access to your sales@ inbox, they see every customer conversation, quote, and purchase order. Your pricing strategy, your customer list, your sales pipeline—all visible.

Payment Fraud Forwarding rules targeting financial emails (invoices, wire confirmations, bank statements) give attackers exactly the information they need to impersonate vendors or customers.

Persistence Even after you reset the compromised password, inbox rules remain. The attacker continues receiving copies of emails until someone deletes the rules.

Former Employee Risk Employees who left on bad terms sometimes create rules forwarding emails before they leave. Or they retain delegated access that was never removed.

How to Audit Inbox Rules

Microsoft 365

Step 1: Check your own rules

1. Open Outlook (desktop or web)
2. Go to Settings > View all Outlook settings > Mail > Rules
3. Review every rule. Look for:
   • Rules forwarding to external addresses
   • Rules moving emails to folders you didn't create
   • Rules deleting emails automatically

Step 2: Check all users' rules (Admin)

1. Go to Exchange Admin Center (admin.exchange.microsoft.com)
2. Navigate to Mailboxes
3. For each mailbox, view Rules
4. Look for:
   • External forwarding rules
   • Rules created recently
   • Rules with external addresses as targets

Step 3: Use PowerShell for bulk audit

Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object {$_.ForwardTo -ne $null -or $_.RedirectTo -ne $null} | Select-Object MailboxOwnerID, Name, ForwardTo, RedirectTo

This shows every inbox rule that forwards or redirects email, regardless of mailbox.

Google Workspace

Step 1: Check user rules

1. Go to mail.google.com
2. Settings > See all settings > Filters and blocked addresses
3. Review every filter. Look for external forwarding addresses.

Step 2: Admin console audit

1. Go to admin.google.com
2. Users > Select user > Security
3. Check for forwarding rules
4. Under Apps > Google Workspace > Gmail > Compliance, check forwarding settings

Step 3: Use the Admin SDK or third-party tools Google's built-in audit logs show email forwarding settings. Third-party tools like SpinOne, Rewind, or GravityZone provide bulk reporting.

How to Audit Delegations

Delegations allow someone else to access a mailbox without having the account credentials.

Microsoft 365

Step 1: Check mailbox permissions

1. Exchange Admin Center > Mailboxes
2. Select mailbox > Manage mailbox permissions
3. Look for users with Full Access, Send As, or Send on Behalf permissions

Step 2: Check shared mailbox memberships

1. Exchange Admin Center > Recipients > Shared mailboxes
2. Review membership of each shared mailbox
3. Remove anyone who shouldn't have access

Step 3: Check calendar and contact delegations

1. In Outlook, File > Account Settings > Delegate Access
2. Review delegates for each user

Step 4: Use PowerShell for bulk audit

Get-MailboxPermission -Identity "sales@yourcompany.com" | Where-Object {$_.User -notlike "NT AUTHORITY\*"}
Get-Mailbox -ResultSize Unlimited | Get-RecipientPermission -ResultSize Unlimited | Where-Object {$_. Trustee -notlike "NT AUTHORITY\*"}

Google Workspace

Step 1: Check delegated access

1. Admin console > Users
2. Select user > Security
3. Check "Delegate email access"

Step 2: Check 2-legged OAuth

1. Admin console > Security > Access and authentication > API scopes
2. Look for third-party apps with broad email access

What to Look For

Red flags:

• Rules forwarding to external domains (especially free email like Gmail, Yahoo)
• Rules created recently (check timestamps)
• Full Access permissions for non-employees
• Former employees still having access
• Third-party apps with broad mailbox permissions
• Delegation to personal email addresses

Common legitimate reasons for external forwarding:

• Support tickets forwarded to a CRM
• Sales leads forwarded to a marketing platform
• Email to a personal device for backup (not recommended, but common)

Distinguish between intentional business forwarding and suspicious activity.

What Can Go Wrong

"The rule was created by a compromised account" You find a rule forwarding emails to a Gmail address. It was created by a legitimate user—but that user's account was compromised. Reset the password, delete the rule, check for other compromises.

"The delegation was for a contractor who finished 6 months ago" You audit and find a vendor still has access to a shared mailbox. They haven't had access to your systems for half a year. Remove it.

"The rule was created by IT" Sometimes IT creates rules for legitimate purposes. Make sure you understand the reason before removing anything.

"Our vendor requires email forwarding" Some vendors legitimately require email access. That's a business decision—but document it, review it regularly, and ensure the vendor relationship warrants the access.

What It Costs

Manual audit: $0 (time spent)

• 30-60 minutes per week for the first month
• 15-30 minutes monthly thereafter

Automated tools: $2-$15/user/month

• Microsoft 365 built-in audit logs: Free
• Third-party audit tools: $2-$10/user/month (SpinOne, GravityZone, etc.)
• CASB tools: $5-$15/user/month for enterprise-grade monitoring

Consulting for initial setup: $1,000-$5,000

• One-time configuration of monitoring
• Initial audit and remediation
• Policy documentation

Minimum Viable Implementation

1. Audit all inbox rules this week. Check every user who handles financial emails, customer data, or vendor communications. Look for external forwarding rules you didn't create.

2. Remove stale delegations. Anyone who left the company, changed roles, or no longer needs access—remove their permissions today.

3. Disable external forwarding where possible. Microsoft 365 and Google Workspace allow you to block external forwarding at the organizational level. Enable this unless you have a documented business need for it.

4. Set up alerts for rule changes. When someone creates a new inbox rule that forwards externally, you want to know immediately. Configure alerts in Exchange Admin Center or use a third-party tool.

5. Repeat quarterly. Schedule this audit every 3 months. Add it to your IT checklist. New rules get created. People come and go. This isn't a one-time fix.

Vendor Questions (Copy/Paste)

1. "Can your tool detect and alert on inbox rules that forward to external domains?"

2. "Do you show us which third-party apps have mailbox access, and can we revoke that access from your console?"

3. "Can we set a policy that automatically disables external forwarding when someone creates a rule?"

4. "Do you log when mailbox permissions change, and can we export those logs?"

5. "Can we run a bulk report showing every user with external forwarding enabled, including their forwarding destination?"

When to Hire Help

DIY-friendly if:

• Under 20 mailboxes
• Simple role structure (everyone's role is clear)
• Basic understanding of Microsoft 365 or Google Workspace admin consoles

Get professional help if:

• Over 50 mailboxes
• Complex shared mailbox structure
• Previous security incident involving email
• No one on staff comfortable using PowerShell or admin consoles
• Need help setting up automated monitoring

Warning signs you need help now:

• You've had a phishing incident in the last 6 months
• An employee reported suspicious inbox rules they didn't create
• You found forwarding rules to unfamiliar external addresses
• A former employee is still receiving company emails
• You don't know who has access to which shared mailboxes