Is your email compromised? Please check your Outlook Rules Now!

Are you using Office 365 or Exchange for email?  Business Email Compromise (BEC) is running rampant.  After a hacker obtains your user name and password, they will monitor your email for any interesting activity.  Your company is especially at risk if your business deals with large money transfers with wires or ACH payments.  Once a hacker finds an invoice or other large transaction, the hacker will email your client from your email (masquerading as you).  The hacker will instruct your client that your bank account has changed, and the client should transfer the funds to the new bank account.  If payment is not made immediately, the hackers (masquerading as you) will send additional fake emails making the payment request more urgent.  Often they will create a rule that will automatically mark any emails from the targeted client as read and place them in a very rarely used folder like the RSS Feeds folder.  That way, they can continue communicating with the targeted client without you noticing the rogue emails.  Please perform the following check to ensure there aren't any unknown routing rules in your email.

  1. In Outlook
    1. Start Outlook.
    2. Click on File, Rules and Alerts.
    3. In the Email Rules tab look for any rules you weren't aware of.  If unknown rules exist, take a screenshot of the rule and clear the checkbox to disable the rule or delete the rule.
  2. In Outlook Web Access (OWA).
    1. Log into OWA.
    2. Click on the Gear in the upper right corner.
    3. Options, Inbox and sweep rules.
    4. If any rules exist that you weren't aware of, take a screenshot of the rule and clear the On checkbox to disable the rule or delete the rule.

If you DO find a rule that you weren't aware of, contact any involved parties immediately (via your phone, NOT email) to notify them of a potential email compromise.  Ask the client if they've recently received a request from you or your company to change any bank account.  Please take the following measures to protect your company from this type of attack:

  1. Change your passwords regularly.
  2. Don't use the same password for different accounts.
  3. Enable Multi-factor Authentication on all accounts, including OWA access and email access.
  4. Stay up to date with patches.
  5. Implement cybersecurity end-user training so employees can spot this type of attack.
  6. Alert all clients if they ever receive a bank change request from you, they MUST verify the change face to face (best) or with a phone call.  Instruct them NOT to use any phone number listed on the request, but have the client contact you directly on your cell phone.  Instruct them NOT to use email to verify the request.

If you need help implementing any of these protection measures, send an email to


Get updated on the latest Information Technology news, Cybersecurity, Information Technology Trends, and recent real-world troubleshooting experiences.