You can help support this website by buying me a coffee!
3 minutes reading time
(525 words)
Find Exchange Online Mailbox Hidden Inbox Rules using PowerShell
How to find Exchange Online mailbox hidden Outlook inbox rules using PowerShell and show the contents of rules to check for suspicious actions.
Attackers will attempt to create inbox rules after gaining access to a mailbox to forward copies of emails being sent and received from the mailbox.
Because suspicious inbox rules would raise the alarm that the mailbox has been compromised, attackers may create hidden inbox rules that are more difficult to detect. Hidden inbox rules do not show in the Outlook client or Outlook on the web.
Because suspicious inbox rules would raise the alarm that the mailbox has been compromised, attackers may create hidden inbox rules that are more difficult to detect. Hidden inbox rules do not show in the Outlook client or Outlook on the web.
Get Outlook hidden inbox rules using PowerShell Get-InboxRule
# get inbox rules Get-InboxRule -Mailbox user@domain.com
Get-InboxRule doesn't show Outlook client-only rules
In this example, we can only see one rule
But when we run the PowerShell again with the -IncludeHidden option, we can see more rules
# get hidden inbox rules Get-InboxRule -Mailbox user@domain.com -IncludeHidden
View details of hidden inbox rules - all properties
In this example, we can show the properties of the inbox rules to get more information about the content of the rules.
Get-InboxRule -Mailbox user@domain.com -includehidden | Select-object *
Show only certain inbox rule properties
In this example, we are selecting only the rule properties that show us what actions the rule contains. This way, we can check for any rules that could be forwarding to a suspicious external email address
# get inbox rule details, format list Get-InboxRule -Mailbox user@domain.com -includehidden | Select-object Name, Description, Enabled, RedirectTo, MoveToFolder, ForwardTo | fl # get inbox rule details, export to file Get-InboxRule -Mailbox user@domain.com -includehidden | Select-object Name, Description, Enabled, RedirectTo, MoveToFolder, ForwardTo | Out-File C:\Temp\inboxrules.txt
Remove hidden Outlook inbox rules using PowerShell Remove-InboxRule
Get-InboxRule -Mailbox user@domain.com -includehidden
Copy the rule identity. You'll need this to delete the inbox rule
Remove Outlook inbox rules using PowerShell Remove-InboxRule
Using -Confirm:$false will skip the confirmation prompt
Remove one inbox rule using -Identity
# Remove one inbox rule using -Identity Remove-InboxRule -Mailbox user@domain.com -Identity 1125502695398965249 -Confirm:$false
Remove all inbox rules including hidden rules for a mailbox
# Remove all inbox rules including hidden rules Get-InboxRule -Mailbox "user@domain.com" -includehidden | Remove-InboxRule
Delete Outlook rules using /cleanrules
This command starts Outlook and deletes all client and server inbox rules
Outlook.exe /cleanrules
/cleanrules will delete all client-side and server-side rules from all mailboxes in your Outlook profile
You should only run /cleanrules when your Outlook profile contains just the target mailbox
References:
Exchange PowerShell - Get-InboxRule
https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxruleExchange PowerShell - Remove-InboxRule
https://docs.microsoft.com/en-us/powershell/module/exchange/remove-inboxruleCommand-line switches for Microsoft Office products
by Author
https://support.microsoft.com/en-us/office/command-line-switches-for-microsoft-office-products-079164cd-4ef5-4178-b235-441737deb3a6
SOLVED: Outlook Error. The Out Of Office Rules cannot be displayed. The client operation failed. - TechLabs
SOLVED: Error when trying to turn on Automatic Replies (Out of Office) in Outlook. The Out Of Office Rules cannot be displayed. The client operation failed.
Comments