Get-inboxrule: find risky inbox rules in Office 365

Concerned about sending secure email in Office 365? Find out useful commands to navigate the risky forwarding state of your organisation.
Cybersecurity
Written by
Rob McFeely
Published on
July 16, 2020

Inbox Automation such as forwarding, redirecting, and moving items around can be crucial to many business operations.  For example today I was integrating receipt bank, a third party receipt and invoicing system which in turn integrates with our accounting software.  Like many respectable third party systems, it supports a robust API for fetching invoices from my suppliers.  However it does not do them all and like in many instances, mailbox automation comes in to help.  In this case, however, I have to set up an auto-forward outside of our organisation because Office 365 does not allow our delegate mailbox (our accounts mailbox) to be accessed from outside the organisation.  

My solution after some consternation was to create an external auto-forward. Now for those security-minded among you, external mail forwards raises some warning flags.  External forwarding, when used by mal-actors can be a telltale sign of risk behaviors such as invoice fraud.  As such many organisations block it outright.  In fact, as an organisation, we do too, however, there are ways to create explicit exceptions, by global admins only, for use cases such as mine.  Anyway security arguments aside it is clear that the area is contentious with both pros and cons to the argument.

This article, however, is going to show you how using some handy commands you can identify risky rules.  You may want to use these commands in a larger reporting function, or use them to alert you, so I will deliberately leave that to you and focus only on a few great commands.

First off you want to log in to Exchange Online using a global administrator.  Depending on whether you have multi-factor authentication turned on you will need to use one of these approaches. Without MFA, WIth MFA  FYI, we would always recommend having MFA on for all of your global admin accounts.  

Find all inbox rules in Office 365

If your organisation isn’t too large this can be a great command.  it will list all rules in a human-readable form making use of the “Description“ field in which Microsoft generates a plain-speaking sentence from your rule conditions

$mbox = Get-Mailbox; $mbox | Foreach { Get-InboxRule -Mailbox $_.DistinguishedName | Select-Object -Property Name,Enabled,Identity,Description | convertto-json }

NB:  I have a conversion to JSON format at the end which can be useful if it is to be consumed by another piece of code.  It’s up to you

Identify risky forwarding rules

There are numerous examples of this script to be found online, however, I like this one because it is simple and shows all forwarding.  A quick scan of the results and you will see external domains.  It can also be easily amended to alert ONLY when it finds an external domain that is not your domain, however, we have not done that here

$mbox = Get-Mailbox;
foreach ($m in $mbox) {
   $rules = Get-Inboxrule -Mailbox $m.primarysmtpaddress
   $forwardingRules = $rules | Where-Object {$_.forwardTo -or $_.forwardAsAttachmentTo -or $_.redirectTo}
   foreach ($rule in $forwardingRules) {
       $rule | Select-Object -Property Identity, forwardTo, forwardAsAttachmentTo, redirectTo, Name, RuleIdentity
   }
}

Find all rules for a given user

Finally, if you know the user whose mailbox you suspect of risky behaviour then the following can be used to show all their forwarding rules

get-inboxrule -Mailbox "joe.bloggs@YourCompany.com" | Select-Object -Property Identity, forwardTo, forwardAsAttachmentTo, redirectTo, Name, RuleIdentity

Conclusion

Between the above commands, you should be able to quickly navigate the risky forwarding state of your organisation. Of course, there are variations depending on what you want. Contact us if you can think of useful improvements.

Have a question?

If you’d like more information, we’re here to help

Heading

This is some text inside of a div block.
Cybersecurity
Written by
This is some text inside of a div block.
Published on
This is some text inside of a div block.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript