The Envyously Investigations Team

Five inbox-rule patterns we see every week.

Five Microsoft 365 inbox-rule patterns that signal BEC persistence and survive every password reset, with the 30-second mailbox audit that surfaces each one.

June 26, 2026 5 min read
5 patternsEach one is a BEC-compromise tell

After an account is compromised, attackers go quiet. They don’t change the password, they don’t add new MFA factors, they don’t even sign in from unusual locations. What they do — every time — is create an inbox rule that gives them silent persistence on the mailbox.

The five patterns we surface every week across customer audits, in order of frequency.

1. External auto-forward

WHEN: any incoming message
DO:   forward a copy to attacker@external.tld
      AND mark as read
      AND delete from inbox

The most common BEC indicator. The compromised user never sees the attacker’s emails OR their own incoming mail when the rule’s filter matches. The forwarding address is almost always a Gmail / Yahoo / proton / disposable-domain address that the attacker controls but the user has no reason to recognize.

Why it survives: doesn’t require the user’s password. Once the rule is on the mailbox, password reset doesn’t remove it. MFA revocation doesn’t remove it. Even forced re-registration of Authenticator doesn’t touch it. The rule persists until somebody specifically looks at the mailbox’s rules and deletes it.

2. “Receipt” / “Invoice” / “Wire” filter to subfolder

WHEN: subject contains "invoice" OR "receipt" OR "wire" OR "ACH" OR "payment"
DO:   move to folder "Old Mail"
      AND mark as read

The attacker is filtering high-value financial conversations into a folder the user doesn’t check, so the attacker can intercept the threads, modify them, and re-send forged versions from the compromised mailbox without the real user noticing the back-and-forth.

This pattern is the precursor to most successful wire-fraud incidents we investigate. The attacker spends 2-6 weeks in the mailbox just reading these threads to understand voice and tone before they make a move.

3. CEO / CFO impersonation cleanup

WHEN: sender == bob@yourdomain.com [the real CEO]
DO:   delete permanently

When the attacker is using the compromised mailbox to impersonate someone else — typically the CEO emailing AP to “approve a wire transfer” — they need to make sure any real reply from the actual CEO never lands in the compromised user’s inbox to spoil the ruse.

A rule that auto-deletes mail from an internal address is almost never legitimate.

4. Conversation-thread hijack helper

WHEN: subject contains [specific real thread subject]
DO:   move to folder "RSS Feeds" [or any folder the user doesn't read]

Targeted, surgical. The attacker is hijacking one specific email thread — usually a payment negotiation in progress — and wants the real victim to stop seeing replies on it so the attacker can take over the conversation cleanly.

You won’t find this with a generic search. You have to read every inbox rule per user and look for filters keyed to specific subject strings that match recent legitimate threads.

5. The “I’ll fix it later” delegation

WHEN: from any external sender
DO:   redirect to assistant@otherdomain.com

This one isn’t always malicious — sometimes it’s a real executive who set up email forwarding to their EA via personal arrangement. But the configuration is identical to a BEC rule and our audit flags both. The customer’s IT team gets to decide on each one: legitimate delegation, or the assistant address is actually an attacker.

The reason it’s worth surfacing either way: any account with this rule pattern is an account where every external email leaves the M365 perimeter immediately. That’s a data classification and DLP problem even if it’s a legitimate setup.

How to check your own tenant

For a single user (PowerShell via Exchange Online):

Get-InboxRule -Mailbox user@domain.com |
  Where-Object { $_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo -or $_.DeleteMessage } |
  Select-Object Name, From, SubjectContainsWords, ForwardTo, RedirectTo, DeleteMessage, MoveToFolder

For all users at once, Microsoft Graph (requires Mail.Read consent):

GET /users/{id}/mailFolders/inbox/messageRules

What to look for:

  • Any rule with forwardTo or redirectTo pointing to an external domain
  • Any rule that deletes mail from an internal sender
  • Any rule moving to “RSS Feeds” / “Archive” / “Old Mail” / “Conversation History”
  • Any rule older than the user’s tenure (if they joined 2 years ago and the rule is 4 years old, something is wrong)

What our audit does automatically

Our tenant assessment pulls every inbox rule for every mailbox we have permission to read, filters for external-recipient forwards + internal-sender deletes + suspicious move-to-folder targets, and presents the findings with the actual rule contents inline. It runs in about 90 seconds for a 500-user tenant.

If you only check one M365 forensic surface ever, check inbox rules.

Anonymized per our marketing policy. The patterns above are composites across many engagements, not any single customer.

Run the free Envyously Risk Score → — includes a tenant-wide mailbox-rule audit that surfaces all five of these patterns automatically.

Related investigations

706 attacks. Five months. Two mailboxes.

A Microsoft 365 BEC campaign ran for 5 months and 706 attacks against two finance mailboxes. The inbox rule that exposed it, the SIEM blind spot that hid it.

One year of dwell. 91 alerts. Nobody looked.

How a default SIEM connector hid a Microsoft 365 AiTM compromise for twelve months, and the one configuration change that surfaced every victim in the tenant.

Want to know if this is in your tenant?
Run the free Envyously Risk Score

Six minutes. OAuth consent — no credentials shared. You see a graded report with every finding categorized, evidenced, and ranked against what we found in cases like the one above.

See pricing → Talk to us