Find the Forwarding Rules Outlook Can't Show You
Attackers create MAPI-level inbox rules that are invisible in Outlook, OWA, and the Microsoft 365 admin center. MailBreach surfaces every hidden forwarding rule across your entire tenant in minutes.
Free 14-day trial. No credit card required. Connect your tenant in under 5 minutes.
What Are Hidden Email Forwarding Rules?
Hidden email forwarding rules are inbox rules created at the MAPI (Messaging Application Programming Interface) level that silently redirect copies of incoming email to an external address. Unlike standard inbox rules you create through Outlook or OWA, these MAPI-level rules do not appear in the Outlook desktop client, Outlook on the web, or even the Microsoft 365 admin center's mail flow section.
Attackers exploit this visibility gap during business email compromise (BEC) attacks. After gaining access to a mailbox through credential phishing or token theft, they create a hidden forwarding rule that copies every incoming message — or messages matching specific keywords like "invoice," "wire," or "payment" — to an external mailbox they control. Because the rule is invisible to the end user and most administrators, it can persist for weeks or months after the initial compromise is remediated.
The root cause is a design limitation in how Microsoft Exchange represents inbox rules. Rules created via the MAPI ROP (Remote Operations) protocol use a binary blob format stored directly in the mailbox's associated contents table. The Outlook UI and OWA only render rules stored in a specific XML format, so MAPI-created rules simply don't appear. This isn't a bug — it's an architectural artifact that attackers have learned to weaponize.
- MAPI-level rules are stored as binary blobs in the mailbox's hidden items
- Outlook, OWA, and the Exchange admin center cannot display these rules
- Attackers use tools like Ruler and SilentBreak to create hidden rules programmatically
- A single hidden rule can exfiltrate every email for months without detection
Why Outlook and OWA Don't Show Hidden Rules
Microsoft Exchange stores inbox rules in two different formats. Standard rules created through Outlook or OWA are stored as XML in the mailbox's Rules table. These are what the UI renders. However, rules created through the MAPI RPC/HTTP interface are stored as binary entries in the FAI (Folder Associated Information) of the Inbox. The Outlook client does not parse this binary format, so these rules are effectively invisible.
This isn't a recent discovery. Security researchers have documented this behavior since at least 2015, and attack tools like SilentBreak's Ruler have automated the creation of hidden rules since 2016. Despite this, Microsoft has not updated Outlook or OWA to surface MAPI-level rules in the UI. The recommended approach from Microsoft is to use PowerShell's Get-InboxRule cmdlet, which can surface some hidden rules, but even this method has limitations and does not catch all rule types.
For Google Workspace, a parallel problem exists with Gmail filters created via the Gmail API. Filters created programmatically through OAuth-authenticated API calls may not appear in the Gmail Settings UI if the creating application has been subsequently deauthorized. Additionally, server-side forwarding configured at the admin level can be overlooked if administrators are only checking individual user settings.
PowerShell Detection vs. Automated Scanning
The traditional approach to detecting hidden forwarding rules in Microsoft 365 is to run PowerShell commands like Get-InboxRule and Get-TransportRule across every mailbox in the tenant. While this works in theory, it has significant practical limitations. Running Get-InboxRule against hundreds or thousands of mailboxes is slow, requires elevated permissions, and produces output that must be manually reviewed. It's a point-in-time check — an attacker who creates a rule after your audit will go undetected until the next manual scan.
Automated detection tools like MailBreach take a fundamentally different approach. Instead of relying on periodic manual sweeps, MailBreach continuously monitors every mailbox in your tenant through the Microsoft Graph API and Gmail API. It inspects the full rule set — including MAPI-level rules, transport rules, and server-side forwarding configurations — and flags any rule that forwards, redirects, or copies email to an external address. Results are classified by severity using 12 detection patterns that map to known BEC tactics.
The advantage of automation goes beyond convenience. MailBreach maintains a baseline of known-good rules for each mailbox, so it can immediately detect when a new forwarding rule appears. It cross-references rules against your organization's domain allowlist to separate legitimate forwarding (like forwarding to a personal backup) from suspicious activity (like forwarding to a newly registered lookalike domain). This baseline-and-diff approach catches what periodic scans miss.
- PowerShell Get-InboxRule is a point-in-time check that requires manual review
- Automated scanning provides continuous monitoring across all mailboxes
- Baseline comparison detects new rules as soon as they appear
- Domain allowlist matching separates legitimate forwarding from threats
How MailBreach Detects Hidden Forwarding Rules
MailBreach connects to your Microsoft 365 or Google Workspace tenant through a read-only OAuth integration and performs a comprehensive scan of every mailbox. For Microsoft 365, it uses the Microsoft Graph API's mail folder and message rule endpoints to enumerate all inbox rules, including those created at the MAPI level. For Google Workspace, it uses the Gmail API's filters and forwarding endpoints combined with the Admin SDK for domain-level settings.
Each detected rule is analyzed by MailBreach's AI-powered classification engine, which assigns a severity level and maps the rule to one of 12 detection patterns. Severity 1 patterns — such as forwarding all email to an external address or forwarding to a recently registered domain — trigger immediate alerts and can be auto-remediated in Mode C. Severity 2 patterns require administrator approval before remediation. Severity 3 patterns are monitored but not flagged as threats.
When a hidden forwarding rule is detected, MailBreach presents the full rule details: the mailbox it belongs to, when it was created, what conditions it matches, and where it forwards email. Administrators can approve remediation directly from the dashboard, which disables or deletes the rule and creates a before-snapshot for rollback. Every action is logged in an immutable audit trail for compliance reporting.
Key Capabilities
MAPI-Level Rule Detection
Surfaces forwarding rules that Outlook, OWA, and the Exchange admin center cannot display, including rules created by attack tools like Ruler.
Continuous Monitoring
Scans your tenant on a configurable schedule rather than relying on one-time PowerShell audits. Detects new hidden rules within hours of creation.
12 Detection Patterns
Classifies every rule against 12 patterns mapped to known BEC and email exfiltration tactics, from external forwarding to keyword-targeted siphoning.
One-Click Remediation
Disable or delete hidden rules directly from the MailBreach dashboard with a full before-snapshot for rollback and an immutable audit trail.
Frequently Asked Questions
Ready to secure your email?
Start detecting hidden forwarding rules in minutes. No credit card required.
Scan for Hidden Rules Now