Does MailBreach replace Microsoft Defender for Office 365?

No. MailBreach and Defender serve different purposes. Defender blocks inbound threats (phishing, malware, spam). MailBreach detects post-compromise persistence (hidden forwarding rules, inbox manipulation). They are complementary — we recommend using both for a complete email security posture.

Why doesn't Microsoft Defender detect hidden forwarding rules?

Defender is designed to inspect and filter inbound email. It evaluates whether incoming messages are threats. It does not scan individual mailbox configurations for inbox rules, forwarding settings, or delegate access. This is a different technology problem that requires mailbox-level scanning via the Graph API, which is what MailBreach does.

Can Microsoft 365's built-in alerts detect forwarding rule creation?

Microsoft 365 has some built-in alert policies for suspicious forwarding activity, but they have significant limitations. They rely on audit log events, which may not capture MAPI-level rule creation. They don't maintain a per-mailbox baseline, so they can't detect rules that were created before the alert policy was enabled. MailBreach scans the actual mailbox configuration state, not just log events.

Does MailBreach require Microsoft Defender Plan 2?

No. MailBreach works with any Microsoft 365 plan that supports the Microsoft Graph API for mailbox access. This includes Business Basic, Business Standard, E3, and E5. You don't need Defender Plan 1 or Plan 2 for MailBreach to function — though we recommend having Defender for inbound threat protection.

How does MailBreach access my Microsoft 365 tenant?

MailBreach connects via a standard OAuth consent flow using the Microsoft Graph API. It requests read-only permissions to inspect mailbox rules and forwarding configurations. It does not request permissions to read email content, send email, or modify mailbox settings (unless you enable remediation, which requires write permission for rule deletion).

Defender Comparison

Defender Stops the Phish. Who Catches the Forwarding Rule?

Microsoft Defender for Office 365 is excellent at blocking inbound threats. MailBreach detects the post-compromise persistence that Defender wasn't designed to find — hidden MAPI forwarding rules, inbox manipulation, and silent email exfiltration.

See What Defender Misses

Free 14-day trial. Connect your M365 tenant in under 5 minutes and scan for hidden rules.

What Microsoft Defender for Office 365 Covers

Microsoft Defender for Office 365 (MDO) is a comprehensive inbound email security platform. It provides Safe Attachments (sandboxing attachments to detect malware), Safe Links (rewriting and scanning URLs at time-of-click), anti-phishing policies (impersonation detection, mailbox intelligence), and zero-hour auto purge (ZAP) to remove threats that are identified after delivery. For Plan 2 subscribers, it adds Threat Explorer, automated investigation and response (AIR), and attack simulation training.

Defender is genuinely good at what it does. Its machine learning models detect sophisticated phishing attempts, its sandboxing catches zero-day malware, and its impersonation detection flags emails spoofing executives or partners. For organizations using Microsoft 365, Defender is a foundational layer of email security and should be part of every deployment.

However, Defender's design focus is the inbound threat surface: emails arriving in your organization from external senders. It answers the question "is this incoming email a threat?" It is not designed to answer a different but equally critical question: "has an attacker already compromised a mailbox and installed a hidden forwarding rule?"

Safe Attachments: Sandboxes attachments to detect malware and zero-day threats
Safe Links: Scans URLs at time-of-click to block malicious sites
Anti-phishing: Detects impersonation, spoofing, and social engineering
Zero-hour auto purge: Removes threats identified after delivery

The Gap: Post-Compromise Email Configuration

The gap between Defender and MailBreach is not a flaw in Defender — it's a difference in scope. Defender focuses on the inbound threat plane: preventing malicious emails from reaching users. MailBreach focuses on the post-compromise configuration plane: detecting what attackers do after they successfully access a mailbox, regardless of how they got in.

Consider a typical BEC attack timeline. The attacker sends a credential phishing email (which Defender may or may not catch). The user clicks, enters credentials, and the attacker gains access. Now the attacker creates a hidden MAPI-level forwarding rule that copies all incoming email to an external address. They create an inbox rule that deletes any incoming email from the IT department (to prevent security notifications from reaching the user). They may also configure a delegate to maintain access even after a password reset.

Defender does not scan individual mailboxes for suspicious inbox rules. It does not maintain a baseline of known-good rules. It does not detect MAPI-level rules that are invisible in the Outlook UI. It does not flag cross-tenant forwarding configurations. These are outside Defender's design scope. Microsoft's recommendation for detecting these configurations is to use PowerShell — a manual, periodic process that doesn't scale.

What MailBreach Detects That Defender Does Not

MailBreach is purpose-built for the specific threat surface that Defender doesn't cover: mailbox configuration manipulation. It connects to your Microsoft 365 tenant via the Microsoft Graph API and performs a comprehensive scan of every mailbox, inspecting configurations that Defender's inbound-focused engine doesn't examine.

Hidden MAPI-level forwarding rules are the most significant detection gap. These rules are created through the MAPI RPC/HTTP protocol and are stored as binary blobs in the mailbox's hidden items. They don't appear in Outlook, OWA, or the Exchange admin center. Defender doesn't inspect them because it processes incoming mail, not mailbox configurations. MailBreach reads the full rule set for every mailbox, including MAPI-level rules, and flags any that forward email to external addresses.

Beyond hidden rules, MailBreach detects: transport rule modifications that create forwarding exceptions for specific domains, inbox rules that delete security notifications, cross-tenant forwarding in multi-tenant environments, delegate access configured by attackers to maintain persistence, and keyword-targeted forwarding rules designed to selectively exfiltrate high-value messages. Each finding is classified by severity and mapped to one of 12 detection patterns.

Hidden MAPI-level forwarding rules invisible to Outlook and OWA
Transport rule modifications that create forwarding exceptions
Inbox rules that delete security notifications from IT/admin
Cross-tenant forwarding in multi-tenant Microsoft 365 environments
Keyword-targeted forwarding rules designed for selective exfiltration

Better Together: Defender + MailBreach

The strongest email security posture combines Defender's inbound threat prevention with MailBreach's post-compromise configuration monitoring. Defender reduces the probability of compromise by blocking phishing and malware. MailBreach reduces the impact of compromise by detecting attacker persistence mechanisms before they can be used for data exfiltration.

This layered approach follows the principle of defense in depth. No single security tool catches everything. Defender might miss a sophisticated phishing email that uses a compromised legitimate domain. MFA might be bypassed through token theft or MFA fatigue. When prevention fails, detection becomes the critical layer — and detection of inbox rule manipulation is precisely what MailBreach provides.

Deployment is simple because the two tools operate independently. Defender runs as part of your Microsoft 365 subscription with no additional configuration for this integration. MailBreach connects via a separate OAuth grant with read-only Graph API permissions. There's no conflict between the two, no shared configuration, and no performance impact. MailBreach's scans run on its own infrastructure, not on your Exchange Online environment.

Key Capabilities

MAPI-Level Rule Detection

Detects forwarding rules created at the MAPI protocol level that are invisible to Outlook, OWA, the Exchange admin center, and Microsoft Defender.

Cross-Tenant Forwarding Detection

Identifies forwarding rules and transport configurations that route email between tenants in multi-tenant Microsoft 365 environments.

Security Notification Suppression Detection

Flags inbox rules that delete or hide emails from IT, security, or admin accounts — a common attacker tactic to prevent detection.

Baseline-and-Diff Monitoring

Maintains a per-mailbox baseline of known rules and alerts on any new or modified rules, providing the continuous monitoring that Defender lacks for mailbox configurations.

Frequently Asked Questions

Ready to secure your email?

Start detecting hidden forwarding rules in minutes. No credit card required.

See What Defender Misses

Related Resources

Microsoft 365 Security MailBreach vs SIEM Hidden Forwarding Rules