Back to BEC Investigation
Inbox Rules Scan
Scan Microsoft 365 mailboxes for suspicious inbox rules — forwarding, hiding, keyword-targeting, and delete rules — with automatic risk scoring. Connects directly to Microsoft Graph with no API credits required.
M365 Permission
MailboxSettings.Read
Connection
Direct Microsoft Graph
$0Credits
Free — no API credits used
Usage
Single mailbox scan
dfir-cli bec inbox-rules --user admin@contoso.com
Multi-user scans
# Scan from a file of targets dfir-cli bec inbox-rules --user-file targets.txt # Scan every licensed mailbox in the tenant dfir-cli bec inbox-rules --all-users
Filtering by risk
# Only show suspicious rules (medium risk and above) dfir-cli bec inbox-rules --user admin@contoso.com --suspicious-only # Only show high/critical risk rules dfir-cli bec inbox-rules --all-users --min-risk high
Output formats
# JSON output dfir-cli bec inbox-rules --user admin@contoso.com --json # JSONL for piping to other tools dfir-cli bec inbox-rules --all-users -o jsonl # CSV for spreadsheet import dfir-cli bec inbox-rules --all-users -o csv # Quiet mode — exit code only, no output dfir-cli bec inbox-rules --user admin@contoso.com -q
Concurrency tuning
# Increase concurrency for large tenants dfir-cli bec inbox-rules --all-users --concurrency 20
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
| --user | string | — | Target mailbox UPN to scan (e.g. user@contoso.com). |
| --user-file | string | — | Path to a text file with one UPN per line. |
| --all-users | bool | false | Scan every licensed mailbox in the tenant. |
| --suspicious-only | bool | false | Only display rules flagged as suspicious (medium risk and above). |
| --min-risk | string | low | Minimum risk level to display: "low", "medium", "high", or "critical". |
| --include-disabled | bool | false | Include disabled inbox rules in the scan results. |
| --concurrency | int | 10 | Number of mailboxes to scan in parallel. |
| --json | bool | false | Output results as JSON. |
| -o | string | table | Output format: "table", "json", "jsonl", or "csv". |
| -q | bool | false | Quiet mode — suppress all output, communicate via exit code only. |
Detection Capabilities
The scanner evaluates every inbox rule against the following heuristics. Each detection adds to the cumulative risk score for the rule.
| Detection | Description |
|---|---|
| External forwarding | Rules that forward or redirect mail to an external address outside the tenant. |
| Free email provider forwarding | Forwarding to consumer email services (Gmail, Yahoo, Outlook.com, etc.). |
| Keyword-based hiding (security) | Rules that move/delete messages containing security keywords — "password reset", "MFA", "suspicious sign-in", etc. |
| Keyword-based hiding (financial) | Rules that move/delete messages containing financial keywords — "invoice", "payment", "wire transfer", etc. |
| Security sender targeting | Rules that target messages from security-related senders (IT department, Microsoft, security@). |
| Match-all forwarding | Rules with no conditions that forward all incoming mail. |
| Stop-processing rules | Rules that stop processing subsequent rules, preventing downstream security controls. |
| No display name | Rules created without a display name — a common indicator of programmatic or API-created rules. |
Risk Scoring
Each rule receives a cumulative risk score based on the number and severity of detections triggered. The score maps to a risk level.
| Score | Level |
|---|---|
| 0 - 19 | Low |
| 20 - 39 | Medium |
| 40 - 69 | High |
| 70+ | Critical |
Exit Codes
Use exit codes for CI/CD pipelines or scripted workflows. Combine with -q for silent operation.
| Code | Meaning |
|---|---|
| 0 | Clean — no suspicious rules found. |
| 2 | High or critical risk rules detected. |
| 3 | Medium risk rules detected (no high/critical). |
Important Notes
- This command connects directly to Microsoft Graph using your registered Azure AD application. No data is sent to DFIR Suite servers, and no API credits are consumed.
- Requires the
MailboxSettings.Readapplication permission in your Azure AD app registration. - Run
dfir-cli bec authbefore your first scan to authenticate with your Azure AD application.