It has become an increasingly common tactic for hackers to create auto-forwarding rules to automatically send email to an external inbox (under the attacker’s control) in instances where the hacker has managed to compromise an email account. This allows the attacker to snoop on email communications without needing to be active in the victim’s email inbox.

Knowing that this is a common tactic in a hacker’s toolbox, it is always a good idea to be aware of any instances where auto-forwarding is enabled in your environment. In fact, Microsoft’s security best practices recommend that auto-forwarding is disabled by default.

The following process can be used to check all mailboxes within your instance of Office 365 for any auto-forwarding rules present and then export the report details to a CSV file for review.

Follow these steps:

1. Download the attached Script РCheck for Email Forward Rules (change the extension from .txt to .ps1).

2. Right click on the script and select “Run with PowerShell“.

3. You will be prompted for the credentials of an Office 365 user (must have Global Admin, Exchange Admin, or Delegated Administrator privileges) and hit ‘Enter‘.

4. Sit back, grab a cup of coffee or tea and wait for the script to finish running.

5. Once complete, the report will be written to: C:\temp\externalrules.csv

Alternatively, the script can be run in Microsoft Visual Studio (press F5 to run the code).

Alternative to downloading script:

Save the following in a text file and save as: Check for Forwarding Rules.ps1

Function Connect-EXOnline {
    $credentials = Get-Credential
    Write-Output "Getting the Exchange Online cmdlets"
    $Session = New-PSSession -ConnectionUri `
        -ConfigurationName Microsoft.Exchange -Credential $credentials `
        -Authentication Basic -AllowRedirection
    Import-PSSession $Session
$domains = Get-AcceptedDomain
$mailboxes = Get-Mailbox -ResultSize Unlimited
foreach ($mailbox in $mailboxes) {
    $forwardingRules = $null
    Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)" -foregroundColor Green
    $rules = get-inboxrule -Mailbox $mailbox.primarysmtpaddress
    $forwardingRules = $rules | Where-Object {$_.forwardto -or $_.forwardasattachmentto}
    foreach ($rule in $forwardingRules) {
        $recipients = @()
        $recipients = $rule.ForwardTo | Where-Object {$_ -match "SMTP"}
        $recipients += $rule.ForwardAsAttachmentTo | Where-Object {$_ -match "SMTP"}
        $externalRecipients = @()
        foreach ($recipient in $recipients) {
            $email = ($recipient -split "SMTP:")[1].Trim("]")
            $domain = ($email -split "@")[1]
            if ($domains.DomainName -notcontains $domain) {
                $externalRecipients += $email
        if ($externalRecipients) {
            $extRecString = $externalRecipients -join ", "
            Write-Host "$($rule.Name) forwards to $extRecString" -ForegroundColor Yellow
            $ruleHash = $null
            $ruleHash = [ordered]@{
                PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
                DisplayName        = $mailbox.DisplayName
                RuleId             = $rule.Identity
                RuleName           = $rule.Name
                RuleDescription    = $rule.Description
                ExternalRecipients = $extRecString
            $ruleObject = New-Object PSObject -Property $ruleHash
            $ruleObject | Export-Csv C:\temp\externalrules.csv -NoTypeInformation -Append

If you have any questions about using automation to check for signs of email account takeover, please contact us today!