Mailbox Rules
View and manage Inbox rules configured on user mailboxes. Mailbox rules automatically process incoming messages based on conditions, performing actions like moving, forwarding, or deleting messages. Administrators can audit rules for security and compliance.
Warning: Malicious mailbox rules are a common indicator of account compromise. Attackers create forwarding or deletion rules to hide their activity. Review rules regularly as part of security hygiene.
Mailbox Rule List
| Column | Description |
|---|---|
| User | Mailbox owner |
| Rule Name | Name of the Inbox rule |
| Priority | Processing order (lower number = higher priority) |
| Enabled | Whether the rule is active |
| Conditions | Summary of matching criteria |
| Actions | Summary of actions performed |
Common Rule Types
Move Rules
Automatically move messages to specific folders based on sender, subject, or keywords. Common for organizing newsletters, notifications, and project email.
Forward Rules
Forward or redirect messages to another email address. Important to monitor for security — unauthorized forwarding to external addresses may indicate compromise.
Delete Rules
Automatically delete messages matching criteria. Attackers may create rules to delete security alerts or password reset notifications.
Reply Rules
Send automatic replies to messages matching specific conditions. Useful for acknowledgment of support requests or out-of-office for specific senders.
Security Concerns
Suspicious Rule Indicators
Watch for rules that may indicate account compromise:
- External forwarding — Rules forwarding all email to external addresses
- Delete and mark as read — Rules that silently delete incoming messages
- Hiding notifications — Rules targeting password reset or security alert emails
- Broad conditions — Rules matching all messages or very broad criteria
Remediation Steps
If suspicious rules are found:
- Disable the rule immediately — Prevent further unauthorized actions
- Reset user password — Change credentials and revoke active sessions
- Enable MFA — Require multi-factor authentication on the account
- Audit sign-in logs — Review recent sign-in activity for unauthorized access
- Review other rules — Check for additional malicious rules on the same mailbox
Rule Limits
| Limit | Value |
|---|---|
| Maximum rules per mailbox | 256 |
| Maximum rule size | 256 KB |
| Maximum rules that can fire | 10 per message |
| Redirect/forward limit | 10 recipients |
Best Practices
- Audit forwarding rules regularly — Check for unauthorized external forwarding across the organization.
- Use transport rules for compliance — Use server-side transport rules instead of client mailbox rules for organization-wide policies.
- Monitor rule creation — Set up alerts for new forwarding rules created on high-value accounts.
- Limit external forwarding — Use outbound spam policies to block automatic external forwarding organization-wide.
API Reference
GET /api/exchange/mailbox-rules
List all mailbox rules across organization
GET /api/exchange/mailbox-rules/:mailboxId
Get rules for specific mailbox
DELETE /api/exchange/mailbox-rules/:mailboxId/:ruleId
Delete a mailbox rule
PUT /api/exchange/mailbox-rules/:mailboxId/:ruleId/disable
Disable a mailbox rule