It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Login Sign Up Contact & Support

United States – English (GMT-5)

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

Reporting Server

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

NextGen Firewall X

Server Backup (Yosemite)

Campus Help Center / Reference

Network Security

Support Services

Barracuda Impersonation Protection
formerly Sentinel

Overview Documentation Training Materials

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

Reporting Server

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

NextGen Firewall X

Server Backup (Yosemite)

Campus Help Center / Reference

Network Security

Support Services

Login Sign Up Contact & Support

United States – English (GMT-5)

Investigating Inbox Rules

Last updated on 2024-01-12 16:37:18

A hacker taking over accounts might create inbox rules to cover their tracks. Rules that might signify an account takeover include rules that:

delete emails that the hacker has sent
delete reply emails sent to a hacker account
automatically forward emails to external addresses

Inbox rules are only monitored for accounts with paid licenses. Free or student account mailbox rules are not monitored.

You can investigate inbox rules recently changed in your Microsoft 365 accounts to see if there is anything unusual.

For a Specific Email or Account

To investigate inbox rules for a specific email or Microsoft 365 account:

Log into Impersonation Protection at https://sentinel.barracudanetworks.com/signin.
Click the menu button in the top left corner and select Account Takeover Protection. Then select the Inbox Rules tab.
In the Investigate Mailbox section, click the Name or email of account field and select the desired name.
Click View Inbox Rules to see the inbox rules associated with that user or account. There, you can determine if anything looks suspicious and take appropriate actions.

For Recently Changed Rules

The Inbox Rules Change Feed provides visibility across all of your accounts in your Microsoft 365 tenant, enabling you to identify suspicious rules across your entire environment in one place.

To investigate inbox rules that have recently changed:

Log into Impersonation Protection at https://sentinel.barracudanetworks.com/signin.
Click the menu button in the top left corner and select Account Takeover Protection. Then select the Inbox Rules tab.
Under Inbox Rules Change Feed, examine the list of rule changes. For details on a specific action, click Investigate.
Determine if anything looks suspicious and take appropriate actions.