Scam Alert

Hacked Outlook Forwarding Rule Scam

Imagine a scenario where a scammer is reading every single invoice, password reset, and sensitive email you receive, but you have absolutely no idea it is happening. This is exactly what occurs during the "Forwarding Rule" scam. It is one of the most common—and quietest—methods used against Microsoft 365, Outlook, and Google Workspace users today across East Gippsland and beyond. Because it operates completely in the background without causing obvious computer issues, it often goes undetected for weeks or even months.

How the scam works

To execute this attack, a scammer must first gain brief access to your email account. This usually happens when an employee accidentally clicks a phishing link that looks like a legitimate Microsoft or Google login screen, or because the business is reusing the same password across multiple online platforms. Instead of immediately changing your password and locking you out (which would trigger alarm bells and prompt you to recover the account immediately), the scammer does something much smarter and more insidious.

They quietly log in to your account, navigate to the deeper web settings, and create a Hidden Rule in your Outlook configuration. The typical rule is designed to act on specific financial triggers. It essentially says: "Take every incoming email that mentions words like 'invoice,' 'payment,' 'remittance,' or 'bank', and immediately forward a copy to my secret, scammer-controlled email address. Then, instantly delete the original email or move it to a hidden archive folder so the user never sees it in their primary inbox."

The Result

Once the rule is active, the scammer simply sits back and waits. To you, everything appears normal except that you abruptly stop receiving emails from certain customers who owe you money. The scammer, meanwhile, intercepts these financial emails, replies directly to your customers from a spoofed or slightly altered email address (pretending to be you), and tells your customers to pay the outstanding invoices into a new bank account. By the time the customer calls your business to confirm payment, or you follow up on a late invoice, the funds have already been permanently transferred offline. This can severely damage not just your cash flow, but your business reputation.

How to check your account

If you suspect something is wrong, you need to check the web version of your email platform immediately. Log in to Outlook on the web (not just the desktop app on your computer, as some rules are server-side only) and carefully navigate to Settings > Mail > Rules. Look for any rule you did not explicitly create yourself. A common trick is for scanners to name the rule simply "." or "," to hide it in the list. Additionally, check Settings > Mail > Forwarding to ensure your entire inbox isn't being blanket-redirected to an unknown Gmail or Yahoo address.

The Solution

If you find an unauthorized rule, delete it immediately. But more importantly, taking down the rule does not remove the attacker's access. You must fully Sign Out of All Sessions within your Microsoft or Google Security Dashboard. A simple password change is often not enough to boot the attacker out if they have established active access tokens. You must also enable Multi-Factor Authentication (MFA) immediately across all staff accounts to prevent them from simply logging back in with the stolen password tomorrow.