Your Exchange administrator can pull reports about all Outlook rules in the environment, to look for attacker funny business.

One of my first calls in Helpdesk was someone with an Outlook rule called “Stupid people” that deleted those emails. Of course I’m not a narc.

— SwiftOnSecurity (@SwiftOnSecurity) February 28, 2021

A surprising number of email issues are people creating rules that delete emails, and then calling Helpdesk and saying, “I’m not getting my emails.” One of the first things I used to check for in an Exchange/Outlook environment.

It sometimes happens by accident, but a lot of times it occurs because they think, this person never sends me anything relevant, so I will just auto-delete these emails, and then that person becomes their boss, or a co-worker, etc., and the emails become relevant…but the person forgets about the rule.