{
	"id": "b2a4c744-b289-4bb6-be18-efd9bb4cff19",
	"created_at": "2026-04-06T00:15:58.797734Z",
	"updated_at": "2026-04-10T03:21:37.957326Z",
	"deleted_at": null,
	"sha1_hash": "632a7530fd384955daa7ec65809fbe6a80c2d700",
	"title": "Hidden Inbox Rules in Microsoft Exchange – Compass Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 455505,
	"plain_text": "Hidden Inbox Rules in Microsoft Exchange – Compass Security\r\nBlog\r\nArchived: 2026-04-05 14:51:12 UTC\r\nContents\r\nIntroduction\r\nAttack\r\nOverview\r\nStep-by-Step\r\nDetection\r\nEmail Clients\r\nAdministration Tools\r\nExchange Compliance Features\r\nMAPI Editor\r\nEradication\r\nMicrosoft Security Response Center\r\nSwiss Cyber Storm 2018\r\nConclusion\r\nReferences\r\nIntroduction\r\nIn recent investigations, Compass recognized a raise in popularity for attackers to compromise Microsoft\r\nExchange credentials. As one of the first steps after having obtained the credentials (most commonly through\r\nphishing), attackers created malicious inbox rules to copy in- and outgoing emails of their victim. The attacker’s\r\ngoal hereby was to guarantee access to emails even after the compromised credentials were changed.\r\nOnce a compromised account is detected, such malicious inbox rules are typically easy to spot and remove. In\r\nfact, they often represent valuable indicators of compromise that can be used to identify other compromised\r\naccounts.\r\nIn this article, we present an undocumented method that can be used to hide such inbox rules. These hidden rules\r\nremain functional, but are no longer visible in popular email clients and Exchange administration tools (on-premise and Office365 environments). The described method comes from our own research and has so far not\r\nbeen observed in the wild. However, similar methods might exist and could be used by cyber criminals.\r\nIn case of a compromised Exchange account, changing credentials might not be enough to stop the leakage of\r\nsensitive information. This article shows that the situation might even be worse, in the sense that not even a search\r\nfor suspicious rules by your Exchange administrator, might be sufficient. An in-depth forensic investigation might\r\nbe required.\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 1 of 10\n\nAttack\r\nOverview\r\nThe attack consists of the following 5 steps:\r\nThe main focus of this article lies on step 4. The described method for hiding inbox rules, was – to the best of our\r\nknowledge – so far undocumented. Step 4 has therefore been reported to Microsoft’s Security Response Center.\r\nTheir reply is included later on in this article.\r\nStep-by-Step\r\nSteps 1/2\r\nWe assume that an attacker successfully completed steps 1 and 2, meaning that she has opened the victim’s\r\nmailbox in Outlook.\r\nSteps 3\r\nAs a next step, the attacker uses Outlook’s wizard to create a rule on the victim’s inbox. For example, the\r\nfollowing rule could copy all incoming emails and forward them to an attacker-controlled address.\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 2 of 10\n\nCreating an inbox rule in Outlook\r\nAfter finishing the wizard, the newly created rule is enabled and visible in Outlook’s “Rules and Alerts” dialog.\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 3 of 10\n\nShowing the inbox rule in Outlook\r\nSteps 4\r\nIn step 3, the attacker created a regular inbox rule to steal a victim’s incoming emails. The goal of step 4 is to hide\r\nthis rule. With hiding we mean that the rule remains functional, but is neither displayed in popular email clients\r\n(such as Outlook and OWA), nor is it returned by Exchange administration tools (e.g. Exchange Management\r\nShell).\r\nTo achieve this, the attacker makes use of Microsoft’s Messaging API. MAPI is a middleware that messaging\r\napplications (such as Outlook) can use to access the messaging subsystem of Windows. To demonstrate the attack\r\nof making an inbox rule hidden, we use a MAPI client called “MFCMapi” (recently renamed to “Microsoft\r\nExchange Server Messaging API Editor”)[Ref. #1]. MFCMapi allows us to view and set low-level contents (raw\r\ndata) of underlying Exchange storage databases.\r\nThe screenshot below shows the raw inbox rule, created in step 3, opened in MFCMapi.\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 4 of 10\n\nOpening inbox rule in MFCMapi\r\nThe whole magic for making the rule hidden, is to empty the following 2 properties of the inbox’s “Associated\r\nContent Table”:\r\nPR_RULE_MSG_NAME \u003c– Empty ANSI String\r\nPR_RULE_MSG_PROVIDER \u003c– Empty ANSI String\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 5 of 10\n\nTampering rule properties in MFCMapi\r\nAs we will see in a moment, deleting this 2 properties makes an inbox rule invisible to common messaging\r\napplications, as well as to Exchange administration tools.\r\nSuch an inbox rule is therefore much more difficult to detect, both from the perspective of a victim, but also from\r\nits administrator.\r\nSteps 5\r\nHow to take advantage of a stealthy forwarding rule is outside the scope of this article.\r\nNote: To automate the described attack, steps 2-4 could be scripted. Analogous to some messaging applications\r\n(e.g. Outlook), remote access to mailboxes could be handled using the MAPI over HTTP protocol [Ref. #2].\r\nDetection\r\nEmail Clients\r\nWhen looking back at Outlook, the inbox rule, tampered in step 4, no longer appears. Also, Outlook does not\r\nshow any warnings giving the victim an indication of a corrupted inbox rule.\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 6 of 10\n\nShowing the tampered inbox rule in Outlook\r\nThe same applies for Outlook Web Access (OWA).\r\nShowing the tampered inbox rule in OWA\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 7 of 10\n\nAdministration Tools\r\nNext, we show that the tampered rule is not returned in the Exchange Management Shell (EMS). The EMS is a\r\ncommand line interface that enables administrators to manage Exchange servers.\r\nWith the EMS, inbox rules and their properties can be listed using the “Get-InboxRule” cmdlet. The below\r\nscreenshot shows the regular inbox rule that the attacker created in step 3 above.\r\nListing the regular inbox rules using the EMS\r\nAfter the attacker performed step 4, i.e. after she cleared the afore mentioned properties, the rule is no longer\r\nreturned. Despite still being functional, the rule does therefore not popup to an administrator using the EMS (or\r\nother admin tools relying on the EMS) while investigate a suspicious mailbox.\r\nListing the tampered inbox rule using the EMS\r\nEven a Microsoft-provided PowerShell script [Ref. #3], recommended for investigating compromised accounts,\r\nrelies on the mentioned cmdlet. The script is therefore not usable to detect or remove any inbox rules made hidden\r\nwith the here listed method.\r\nMicrosoft’s PowerShell script to remediate breached accounts relies on the “Get-InboxRule” cmdlet\r\nNote: The help of the “Get-InboxRule” cmdlet lists a flag named “IncludeHidden”. However, when showing the\r\nhelp in full details (Get-Help Get-InboxRule -full), one can see that the flag is reserved for Microsoft internal use.\r\nIt is therefore not usable to detect rules that were made hidden by the method described in step 4.\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 8 of 10\n\nShowing the “IncludeHidden” flag of the Get-InboxRule cmdlet\r\nExchange Compliance Features\r\nEvidence of hidden forwarding rules, transferring messages to other mailboxes, might be found in the “Message\r\nTracking” compliance features of Exchange (enabled by default). The logs will include an entry for each\r\nforwarded message. Note however that rules with other actions, such as deleting selected messages before being\r\nread by the victims, would not be tracked by “Message Tracking”.\r\nMAPI Editor\r\nThe currently only way known to us, how to reliably detect hidden inbox rules, is through the use of a MAPI\r\neditor such as “MFCMapi”. The tool allows us to get raw access to the underlaying storage database and to list\r\ncorrupted or suspicious rules.\r\nEradication\r\nThe best way to remove hidden inbox rules is again through a MAPI editor such as “MFCMapi”. Alternatively,\r\nyou can run Outlook with the “/cleanrules” flag. This however removes all the rules on the corresponding mailbox\r\n(not only the hidden ones).\r\nClearing inbox rules in Outlook\r\nUnfortunately, both these methods are not easily applicable corporation-wide (but only on individual mailboxes).\r\nMicrosoft Security Response Center\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 9 of 10\n\nWe informed the security response center of Microsoft about the identified way to hide inbox rules. Here is what\r\nthey replied:\r\n“[…] Our engineering team investigated the behavior that you described. They determined that it is not\r\nconsidered a security issue because it requires control of the account to create these rules. However, they are\r\nconsidering ways to improve the software in the future.”\r\n“[…] MSRC will not be tracking the issue and we won’t have future updates about it […]”\r\nWe will leave the reply without further comment. Be aware that in case of a compromised Exchange account,\r\nsolely changing the accounts credentials and reviewing inbox rules by your administrator might not necessarily\r\nstop an attacker from gaining access to a victim’s emails. An in-depth forensic investigation might be required.\r\nSwiss Cyber Storm 2018\r\nCompass Security is a Silver Sponsor at this year’s Swiss Cyber Storm security conference [Ref. #4]. We will\r\nhave a talk were we further elaborate on the topic of hidden inbox rules. Join us for the talk, or visit our booth and\r\nplay a round of darts to win some beers.\r\nConclusion\r\nIn this article, we described a method for creating Exchange inbox rules that are not shown by Outlook/OWA and\r\nthe Exchange Management Shell. The precondition to this is that an attacker has access to the victim’s mailbox.\r\nChanging a victim’s credentials and looking for existing inbox rules by your Exchange administrator might not be\r\nsufficient for the detection of such rules. Microsoft is not considering the described method as a security issue.\r\nReferences\r\n1. MFCMapi Editor\r\nhttps://archive.codeplex.com/?p=mfcmapi\r\n2. MAPI over HTTP\r\nhttps://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http\r\n3. Disable Mailforwarding to External Domains\r\nhttps://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/\r\n4. Swiss Cyber Storm Conference\r\nhttps://www.swisscyberstorm.com\r\nSource: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nhttps://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/"
	],
	"report_names": [
		"hidden-inbox-rules-in-microsoft-exchange"
	],
	"threat_actors": [],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/632a7530fd384955daa7ec65809fbe6a80c2d700.pdf",
		"text": "https://archive.orkl.eu/632a7530fd384955daa7ec65809fbe6a80c2d700.txt",
		"img": "https://archive.orkl.eu/632a7530fd384955daa7ec65809fbe6a80c2d700.jpg"
	}
}