Today’s post was inspired by a recent incident where a user clicked on a malicious link, logged in, and as a result, their login credentials were compromised. The attacker, upon gaining access to the mailbox (most likely through automation), creates rules that either delete specific emails, typically those from the IT department or the sender of the malicious email. These rules are named „.” – a period.
I’ve prepared a short PowerShell script that allows you to search through all mailboxes and identify those with rules having a specific name.
First, you need to install the Exchange Online module:
1 2 3 |
Install-Module -Name ExchangeOnlineManagement Import-Module ExchangeOnlineManagement |
The next step is to connect to Exchange using an administrative account:
1 |
Connect-ExchangeOnline |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# Enter the name of the rule you want to check: $ruleName= "." # Get a list of all mailboxes: $mailboxes = Get-ExoMailbox -ResultSize Unlimited # Search for rules in each mailbox: foreach ($mailbox in $mailboxes) { $rules = Get-InboxRule -Mailbox $mailbox.Identity # Check if a rule with the specified name exists in the mailbox $ruleExists = $rules | Where-Object { $_.Name -eq $ruleName} if ($ruleExists) { Write-Host "Rule'$ruleName' exists in the mailbox: $($mailbox.DisplayName) - $($mailbox.UserPrincipalName)" } } |
The result of this query will display messages like:
1 |
"Rule '.' exists in the mailbox: Full Name - full.name@domain.com" |