What Microsoft 365 permissions does MailBreach require?

MailBreach requires MailboxSettings.Read and Mail.Read application permissions in Microsoft Graph, granted via Azure AD admin consent. These permissions allow MailBreach to read mailbox rules and forwarding configurations. MailBreach does not require — and never requests — permissions to read message bodies or attachments.

Does MailBreach work with Exchange Online only, or also on-premises Exchange?

MailBreach currently supports Exchange Online in Microsoft 365 (Business, Enterprise, and Education plans). On-premises Exchange Server is not supported at this time. Hybrid environments are supported for the cloud mailboxes within the tenant.

How often does MailBreach scan my M365 tenant?

MailBreach performs an initial full scan when you connect your tenant. After that, daily drift scans run automatically to detect new or modified forwarding rules. You can also trigger on-demand scans at any time from the dashboard.

Will MailBreach affect my email delivery or performance?

No. MailBreach uses read-only Graph API calls to inspect mailbox configurations. It does not proxy mail flow, modify MX records, or sit in the message delivery path. Scans use Microsoft's recommended throttling limits and have no impact on end-user email performance.

Can MailBreach detect forwarding rules created by compromised OAuth apps?

Yes. MailBreach inspects all forwarding rules regardless of how they were created — Outlook Web Access, PowerShell, Graph API, EWS, or direct MAPI manipulation. Rules created by compromised OAuth applications are detected the same way as rules created by any other method.

Microsoft 365 Security

Secure Every Mailbox in Your Microsoft 365 Tenant

Microsoft Defender stops inbound threats. MailBreach catches what it misses — hidden forwarding rules, MAPI-level redirects, and silent email exfiltration buried in Exchange Online configurations.

Scan Your M365 Tenant Free

14-day free trial. Connect in under 5 minutes. No MX changes required.

What Microsoft 365's Built-In Security Covers — and What It Doesn't

Microsoft 365 includes a robust set of security features: Exchange Online Protection (EOP) for anti-spam and anti-malware, Microsoft Defender for Office 365 for safe links and safe attachments, and Azure AD Identity Protection for sign-in risk analysis. These tools are excellent at blocking inbound threats — phishing emails, malware payloads, and credential harvesting pages.

But none of them monitor what happens after a mailbox is compromised. When an attacker gains access through credential phishing, OAuth token theft, or session hijacking, their first move is often to plant forwarding rules that silently copy emails to an external address. This technique (MITRE ATT&CK T1114.003) operates entirely within the mailbox configuration layer — a layer that Defender, EOP, and even most third-party email security tools do not inspect.

Microsoft does log some mailbox rule events in the Unified Audit Log, but these logs can take up to 24 hours to appear, require specific audit policies to be enabled, and generate high volumes of noise from legitimate rule creation. Without a purpose-built tool that performs direct rule inspection via the Graph API, forwarding-based exfiltration can persist for weeks or months before discovery.

EOP and Defender focus on inbound message scanning, not mailbox configurations
OAuth token theft bypasses MFA and gives attackers persistent mailbox access
Unified Audit Log rule events can be delayed up to 24 hours
MAPI-level rules do not appear in the standard Outlook rules interface

The Hidden MAPI Rule Problem in Exchange Online

Exchange Online supports multiple methods for creating inbox rules. Users typically create rules through Outlook Web Access or the Outlook desktop client. Administrators use PowerShell cmdlets like New-InboxRule. Applications use the Microsoft Graph API or, in legacy scenarios, Exchange Web Services (EWS). Each method stores rules in different locations within the mailbox, and not all are visible through the same interface.

MAPI-level rules are particularly dangerous. Created through direct MAPI property manipulation — often via tools like Ruler or custom scripts — these rules are stored in the hidden rules table of the mailbox. They do not appear in the Outlook rules dialog, the OWA rules page, or even the Get-InboxRule PowerShell cmdlet. They are effectively invisible to administrators using standard Microsoft 365 management tools.

MailBreach uses the Microsoft Graph API with extended permissions to enumerate all rule types in every Exchange Online mailbox, including MAPI-level rules. Each rule is inspected for forwarding targets, redirect actions, keyword triggers, and creation metadata. Rules matching known attack patterns are flagged and classified by severity, giving your team visibility into the hidden rule layer that standard M365 tools cannot reach.

MAPI rules are invisible in Outlook, OWA, and Get-InboxRule PowerShell
Attackers use tools like Ruler to plant MAPI-level forwarding rules
MailBreach enumerates all rule types via the Graph API, including hidden MAPI rules
Each rule is checked for forwarding targets, keywords, and suspicious creation patterns

How MailBreach Secures Your Microsoft 365 Tenant

MailBreach connects to your M365 tenant through a registered Azure AD application with scoped Graph API permissions. The onboarding process takes under five minutes — register the app, grant admin consent, and MailBreach begins scanning. No agents, no proxies, no MX record changes.

During each scan, MailBreach reads inbox rules, transport rules, and forwarding configurations for every mailbox in the tenant. Rules are evaluated against 12 detection patterns covering external forwarding, keyword-triggered interception, freemail destinations, API-created rules, and more. Each finding is mapped to MITRE ATT&CK T1114.003 and assigned a severity level.

Remediation is built directly into the workflow. Severity 1 findings can be auto-remediated in Mode C, while Severity 2 findings surface for human review in Mode B (the default). Before any rule is disabled or deleted, MailBreach captures a full snapshot of the rule configuration so it can be rolled back if the finding turns out to be a false positive. Post-remediation, MailBreach re-reads the mailbox state to verify the action was successful and logs everything to an immutable audit trail.

Connect in under 5 minutes — no agents, proxies, or MX record changes
Scans inbox rules, transport rules, and forwarding configurations tenant-wide
Before-snapshot capture enables one-click rollback of any remediation action
Immutable audit log supports SOC 2, ISO 27001, and compliance reporting

Key Capabilities

Graph API Integration

Direct read access to Exchange Online mailbox rules via the Microsoft Graph API. No mail flow proxying, no MX changes, no message content access.

MAPI Rule Detection

Detects hidden MAPI-level rules that are invisible in Outlook, OWA, and standard PowerShell cmdlets — the rules attackers plant to avoid detection.

Transport Rule Monitoring

Scans tenant-level Exchange transport rules for organization-wide forwarding configurations that could exfiltrate mail at scale.

Drift Detection

Daily automated scans detect new forwarding rules as they appear. Get alerted the same day a rule is created, not weeks later via audit log review.

Frequently Asked Questions

Ready to secure your email?

Start detecting hidden forwarding rules in minutes. No credit card required.

Scan Your M365 Tenant Free

Related Resources

BEC Detection vs. Microsoft Defender Google Workspace Security