Outlook Malicious Email Forwarding Rule

The Problem
A client recently contacted us as they were receiving a strange bounce back message every time they received an email in Outlook.  After a little investigation, we established the cause of the problem was that a malicious rule had been set up on their desktop Outlook application.

The Cause
This type of malicious attack is usually the result of a user clicking a link in a phishing email. The link then triggers a request for the user to login to a fake Office 365 login page. As a result of entering their credentials into the fake login page, the attacker can then create a rule in their local Outlook application that attempts to forward a copy of all incoming emails to the attacker.

The Good News
In this case the good news was that the reason our client was receiving the bounce back email was that the email servers that we use are configured to prevent auto-forwarding of incoming emails and notify the user of any attempts to do so.

The Solution
If you are experiencing the problem it can easily be resolved by following the steps below (please note that if your server if not configured to prevent auto forwarding, you may not know it is happening, so it is worth checking anyway):

  1. In Outlook click File in the top left hand corner
  2. Click the Manage Rules And Alerts option
  3. A pop up box will appear as shown in the image below that shows any rules that are in place locally for your email account
  4. If there are any rules that you do not recognise as having added simply highlight the rule and press the Delete button.
  5. If you have not added any rules yourself this box should be blank.


An example of a malicious Outlook email forwarding rule
An example of a malicious Outlook email forwarding rule

Further additional steps you should take:

  • Immediately change your Outlook password
  • Run a full scan of your computer for viruses and malware

Please do not hesitate to contact us if you require assistance with this or would like support with any IT Support issue on consult@creativeconnections.co.uk.