Malicious Exchange Online forwarding rules: the foundation of CEO fraud
Almost every case of CEO fraud (Business Email Compromise) we investigate shares the same technical element: a forwarding or inbox rule created by the attacker after compromising an Exchange Online account, letting them monitor billing conversations for weeks before stepping in at the right moment.
How a BEC fraud is built on top of a forwarding rule
After compromising a mailbox — usually via AiTM phishing or illicit OAuth consent — the attacker doesn't act immediately. They create an inbox rule that silently forwards (or moves to a hidden folder) emails related to invoices, payments or ongoing negotiations. For weeks, they observe the real communication pattern between the victim and their vendors or clients: usual amounts, email tone, peak activity times. When they spot a high-value transaction, they step in with an email that mimics the real conversation's style, requesting a last-minute bank account change.
Why malicious rules are hard to spot at a glance
A forwarding or move-to-folder rule generates no visible alert for the user in their normal mail experience: there's no notification, the mailbox's appearance doesn't change, and rules are often named discreetly or even configured to move Microsoft's own security alert emails straight to Deleted Items. The user keeps seeing and replying to email normally, unaware that a copy — or the original — is being diverted.
Organization-level transport rules: the least monitored vector
Beyond individual mailbox-level rules, Exchange Online allows mail flow rules (transport rules) at the organization level. An attacker with compromised administrative privileges can create a transport rule affecting all users or a specific group — for example, blind-copying all of the finance department's email to an external address — with a much larger impact than an individual mailbox rule and, precisely because of that, less frequently reviewed in routine audits.
How to detect and prevent this vector
The most effective measures are: disabling automatic external forwarding at the tenant level and requiring explicit approval for exceptions; periodically auditing both individual mailbox inbox rules and organization-level transport rules, looking for forwarding to external domains or suspicious rule names; enabling Unified Audit Log alerts when a new forwarding rule is created; and, after any account compromise incident, explicitly reviewing rules as part of the containment process, not just changing the password.
FAQ
Does MFA protect me from CEO fraud based on forwarding rules?
It helps prevent the initial account compromise, but it isn't foolproof: AiTM phishing can steal the session while bypassing MFA, and illicit OAuth consent doesn't even require the password. That's why detecting anomalous forwarding rules is an independent and necessary defense layer.
How do I tell a legitimate forwarding rule from a malicious one?
Legitimate rules usually forward to known corporate addresses for a documented reason (temporary leave, delegation). Any rule forwarding to an unknown external domain, that hides or auto-deletes alert emails, or that was created without the user's knowledge, should be treated as suspicious and reviewed immediately.