Try this first
- 1In Defender for Office 365 or Sentinel, alert on new inbox rules that move mail to RSS Feeds, Conversation History, Notes, or any folder named as a single letter or digit.
- 2Add a second alert on rules with forwardingSMTPAddress or forwardingAddress pointing to an external domain. External auto-forwarding should be off in the remote-domain policy anyway.
- 3Turn on the Defender XDR built-in detection 'Suspicious inbox manipulation rule', which runs on Exchange signals and is included with P2.
- 4Enable mailbox auditing with Set-Mailbox -AuditEnabled $true and make sure New-InboxRule and UpdateInboxRules are in the audit set. Without audit you see nothing afterwards.
- 5Train finance to always call back any IBAN-change or payment-rush request on a number from their own records, never from the email signature.
When to bring us in
If you find a suspicious rule plus a changed IBAN on an open invoice, the attacker has likely been inside for two to six weeks. Treat it as an incident and bring in forensics before you revoke sessions.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.