A few times in the past year, various clients have contacted me about not receiving emails. I am not picking on Microsoft directly but all have involved Outlook. After doing the following basics:
- Check for M365 outages
- Have another user in the company send and receive emails
- Have the user login to the web version of Outlook/M365 and check for syncing in desktop Outlook
I had to dig a litter deeper!
I used the search feature in desktop Outlook to find indeed the emails were coming into the inbox, but were routed to a different folder. That indicated a rule was routing the emails to the new folder but the clients were not aware of this.
What Are Outlook Rules?
For those unaware about Outlook rules, you can setup rules that analyze your emails as they come in and do a number of different actions. For example, you can write a rule that will match emails from a certain person and mark them as important or you can have it send a notification to your phone. You can also, move all emails to a specific folder and mark them as read and turn off notifications – which is exactly what was happening!
One Rule To Move Them All
Rules were created that moved the emails to a new Conversation History folder, marked them as read and disabled notifications. After diving deeper into M365 security, all clients had random logins recently from around the world – South Korea, South Africa, Eastern Europe – all places my clients had not visited.
After checking the emails moved to the new folder, they all had inquiries to banks to change passwords. Yikes!
Remediation
To solve the problem:
- We removed the rules first.
- Confirmed foreign users were no longer logged into the Microsoft account.
- Changed M365 password.
- Enabled two factor authentication (2FA).
All of those steps are critical to stopping these kinds of attacks. Understandably 2FA is a hassle but losing the money in your bank account is probably a bigger hassle. Luckily in all cases, my clients called before hackers were able to withdraw any money.
Please reach out if you need help with cyber security or keeping your password safe!