How to Check for and Remove Suspicious Inbox Rules in Outlook (Microsoft 365)

Applies to: Staff and students using Outlook Web (outlook.com) or Outlook desktop
Purpose: Detect and remove malicious inbox rules that can hide emails or forward your messages to attackers.
Why this matters: After phishing attacks, hackers often create hidden inbox rules to silently reroute emails. Even if your password is reset, those rules remain active until manually removed.

What Are Inbox Rules?

Inbox rules are normally used to help organize emails (e.g., move messages from a teacher to a specific folder).
Attackers misuse rules to:

• Automatically move incoming mail to hidden folders (e.g., RSS Feeds or Archive).

• Delete important messages so you never see security alerts.

• Forward emails to outside accounts to steal information.

Step 1: Log in to Outlook Web

1. Open a web browser and go to https://outlook.office.com.

2. Sign in with your email and password.

Step 2: Open Inbox Rules

1. In the top-right corner, click the gear icon (⚙ Settings).

2. At the bottom of the menu, select View all Outlook settings.

3. In the left pane, go to:

   • Mail → Rules.

You will now see a list of all active inbox rules.

Step 3: Review Rules

• Look for suspicious rules, such as:

  • Rule that moves emails to folders like RSS Feeds, Junk Email, or Archive.

  • Rule that forwards all mail to an external address (example: john.doe@gmail.com).

  • Rule with strange names like “smtp,” “test,” or random characters.

  • Rules created recently that you did not set up.

Tip: Even one unfamiliar rule could mean your mailbox was tampered with.

Step 4: Remove Malicious Rules

1. Click the trash can icon next to any suspicious rule.

2. Confirm deletion when prompted.

3. Repeat for all rules you did not personally create.

Step 5: Check in Outlook Desktop (Optional)

1. Open the Outlook desktop app.

2. Go to the File tab → Manage Rules & Alerts.

3. Review the list of rules.

4. Delete any suspicious entries just like in Outlook Web.

Step 6: Secure Your Account

If you found a malicious rule, immediately:

1. Change your Microsoft 365 password.

2. Review your Microsoft Authenticator app – deny any login requests you did not make.

3. Report the incident to Miller Tech Pro Support (see below).

Step 7: Confirm Email Flow

• Send yourself a test email from another account.

• Confirm that it arrives in your inbox and is not being redirected.

Troubleshooting

• No suspicious rules found? Great — your account is likely clean.

• Still missing emails? Search all folders (especially RSS Feeds, Archive, Deleted Items). Attackers sometimes move existing messages before rules are removed.

• Outlook desktop not syncing? Restart the app or remove/re-add your account.

Quick Safety Tips

• Do not ignore missing emails. Always check inbox rules first.

• If you receive strange login alerts or Microsoft sign-in prompts, deny them and change your password.

• Forward suspicious emails (as an attachment) to support@millertechpro.com for analysis.

Need Help?

Contact Miller Tech Pro Support:

• Phone: 407-868-0846

• Email: support@millertechpro.com

• Hours: Mon–Fri, 8:00 AM to 4:00 PM (Emergency Response weekends only)