We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Investigating Inbox Rules

  • Last updated on

A hacker taking over accounts might create inbox rules to cover their tracks. Rules that might signify an account takeover include rules that:

  • delete emails that the hacker has sent
  • delete reply emails sent to a hacker account
  • automatically forward emails to external addresses

You can investigate inbox rules recently changed in your Office 365 accounts to see if there is anything unusual.

For a Specific Email or Account

To investigate inbox rules for a specific email or Office 365 account:

  1. Log into the Barracuda Sentinel dashboard at https://sentinel.barracudanetworks.com/signin.
  2. Click the menu button at the top left of the dashboard and select Account Takeover. Then select the Inbox Rules tab.
  3. In the Investigate Mailbox section, click the Name or email of account field and select the desired name.
  4. Click View Inbox Rules to see the inbox rules associated with that user or account. There, you can determine if anything looks suspicious and take appropriate actions.
For Recently Changed Rules

The Inbox Rules Change Feed provides visibility across all of your accounts in your Office 365 tenant, enabling you to identify suspicious rules across your entire environment in one place.

To investigate inbox rules that have recently changed:

  1. Log into the Barracuda Sentinel dashboard at https://sentinel.barracudanetworks.com/signin.
  2. Click the menu button at the top left of the dashboard and select Account Takeover. Then select the Inbox Rules tab.
  3. Under Inbox Rules Change Feed, examine the list of rule changes. For details on a specific action, click Investigate.
    Determine if anything looks suspicious and take appropriate actions.

 

Last updated on