Evaluating Outlook Inbox Rules


Introduction

Outlook Inbox rules can cause unexpected or unwanted behavior with emails when the rules are not set up correctly, conflict with each other, or are create as a result of a compromised account. This article describes how to evaluate, modify, and/or delete unwanted rules. Emphasis is placed on malicious rules put in place when an account is compromised.

Instructions

 

It is a best practice to disable all rules encountered until their evaluation is complete. In addition, you should check both the Outlook Desktop (if installed) and Outlook Web App clients as some rules created in Desktop can't be managed in the Outlook Web App.

Rules in Outlook Desktop

  1. Open Outlook Desktop.
  2. Type manage rules and alerts in the search box.
  3. Select Rules under the Actions header.
  4. Select Manage Rules and Alerts in the side menu.

  5. If rules exist in the list, continue.
  6. Uncheck each rule to disable it during evaluation.
  7. Review each rule to understand its conditions and actions.
  8. Delete unwanted and/or malicious rules by selecting the rule and then clicking Delete in the window's toolbar.
  9. Edit rules by selecting the underlined elements in the description in the Rules Description block.
  10. When complete, make sure to re-enable all remaining rules.

Rules in Outlook Web App

  1. Open Outlook Web App at https://outlook.office.com.
  2. Click on the Gear icon in the upper-right corner to open the Settings menu.

  3. Select Mail.
  4. Select Rules
  5. If rules exist in the list, continue.
  6. Click on the toggle next to each rule to disable it during evaluation.
  7. Review each rule to understand its conditions and actions.
  8. Delete unwanted and/or malicious rules by selecting the Trash icon for that rule.
  9. Edit rules by selecting the Pencil icon for that rule.
  10. When complete, make sure to re-enable all remaining rules.

Additional Tips

  • Understand Rule Conditions:
    • How to check the conditions set for each rule. Ensure they are logical and relevant to their needs. For example, a rule that moves emails from a specific sender to a folder should have the correct sender’s email address.
    • Malicious actors can configure rules to hide actions, delete mail, forward mail, create confusion, and facilitate further attacks.
  • Verify Rule Actions:
    • Verify the actions that the rule performs. Common actions include moving emails to a folder, deleting emails, or marking them as read.
    • Ensure the actions align with the intentions.
  • Identify Conflicts:
    • Check for any conflicting rules. For example, one rule might move an email to a folder, while another might delete it.
    • Adjust the order of rules, if necessary, as rules are processed top-down.
  • Test the Rules:
    • Have a test email sent that matches the conditions of the rule to see if it performs the expected action.
    • Confirm that the rule behaves as intended.
  • Eliminate Redundancy:
    • Ensure there are no redundant rules that perform the same action on the same set of emails.
    • Simplify or combine rules where possible to avoid unnecessary complexity.