Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use this article to investigate changes to mailbox rules in Exchange Online. It shows how to view a mailbox's current inbox and forwarding rules and how to search the Microsoft Purview audit log to identify who created, modified, or deleted those rules.
Use these methods to investigate:
- Changes to email forwarding rules
- Rules that cause emails to not appear in expected folders
- Unauthorized rule modifications
Before you begin
To investigate mailbox rule modifications, you need:
- The Audit Logs role assigned in Microsoft Purview
- To connect to Exchange Online PowerShell by using Connect-ExchangeOnline
How to identify mailbox rule modifications
Use these two essential commands to investigate mailbox rule changes.
Check current mailbox rules
This information shows:
- Current rule configuration: Rule configuration
- Rule actions: Move, delete, or forward
- Rule status: Enabled or disabled
To see what rules currently exist in a mailbox, run the following command:
Get-InboxRule -Mailbox <mailbox> | FL Name,Description,DeleteMessage,MoveToFolder,Enabled
Search for rule modification audit records
This search looks for:
- New-InboxRule: New rules created
- Set-InboxRule: Existing rules modified
- Remove-InboxRule: Rules deleted
To find out who created, modified, or deleted mailbox rules, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -Operations New-InboxRule,Set-InboxRule,Remove-InboxRule -ResultSize 1000
What to do when searches return no results
If your audit searches don't find rule modification records:
- Expand the date range to capture older changes:
Search-UnifiedAuditLog -StartDate 01/01/2020 -EndDate 03/31/2020 -UserIds <user1,user2> -Operations New-InboxRule,Set-InboxRule,Remove-InboxRule -ResultSize 1000
- Enable auditing for future rule changes:
Set-Mailbox <mailbox> -AuditEnabled $true -AuditOwner @{Add="Create","Update"}
Quick reference
Key operations for rule investigation
| Operation | Description |
|---|---|
| New-InboxRule | New mailbox rule created. |
| Remove-InboxRule | Mailbox rule deleted. |
| Set-InboxRule | Existing mailbox rule modified. |
Essential commands
| Command | Purpose |
|---|---|
Get-InboxRule -Mailbox <mailbox> |
Check current rule configuration. |
Search-UnifiedAuditLog -Operations New-InboxRule,Set-InboxRule,Remove-InboxRule |
Find who made rule changes. |
Next steps
- Use MailItemsAccessed to investigate compromised accounts: Determine whether unauthorized rule changes indicate a compromised account.
- Identify who deleted an email message or why an email is missing: Investigate whether modified rules caused email deletions or missing messages.
- Export, configure, and view audit log records: Export your rule modification findings for compliance documentation.