Microsoft 365 inbox rule monitoring

Attackers hide inside
your mailboxes.
IRM finds them.

The most dangerous inbox rule attacks don't forward email externally — they hide it. IRM monitors every rule change across every mailbox and raises an alert the moment something suspicious appears.

Request Access See how it works

IRM

Inbox Rule Monitor

Monitor

Dashboard5

Rule Analyzer

Auth Monitor

Manage

Tenants

System

Logs

Configuration

High Risk

Last 7 days

Medium Risk

Last 7 days

Low Risk

Last 7 days

Mailboxes

Monitored

RiskMailbox / RuleChangeWhen

● HIGH

jdoe@example.com

Move vendor emails → Archive2

Created 2:14 AM

● HIGH

asmith@example.com

Delete after forwarding

Modified Yesterday

● MED

bwilson@example.com

Payment Received → Hidden

Created Jun 12

● LOW

mjones@example.com

Newsletter → Archive

Modified Jun 11

How it works

From suspicious rule to alert — in minutes.

IRM connects directly to Microsoft 365 using certificate-based authentication. No passwords. No agents. No complex setup.

Connect your tenant

Sign in as Global Admin once. IRM creates the app registration, uploads the certificate, and configures Exchange access automatically — under 5 minutes per tenant.

One-time setup per tenant

Continuous monitoring

IRM scans every mailbox across all configured tenants on a schedule you control. Every rule is compared to the previous snapshot — detecting any change the moment it happens.

Configurable scan interval

Alert raised

Suspicious changes raise an alert on your dashboard and by email. Each alert includes the affected mailbox, what changed, risk level, and recommended action — no log-digging required.

Dashboard + email notification

The threat

The most dangerous inbox rule attacks
don't forward email externally. They hide it.

Sophisticated attackers use hidden folder rules to intercept conversations without ever touching the outbox. Here's how it happens.

Sarah Chen receives a phishing email

Sarah is the Accounts Payable manager at Acme Corporation. She receives what looks like a DocuSign request from a vendor. She clicks the link, enters her Microsoft 365 credentials.

The attacker now has full access to her mailbox — from a server in Eastern Europe.

A hidden folder rule is created

The attacker creates one rule: emails from Supplier B — Vantage's primary vendor — move silently to a folder called "Archive2." Marked as read. Sarah never sees them.

Rule name: "Archive2" · Action: Move to folder + Mark as read · From: supplier.example.com

The conversation is hijacked

The attacker monitors Archive2 and replies as Sarah — impersonating her to Supplier B. They explain that Acme Corporation has switched banks and provide new wire transfer details.

Supplier B updates their records. They have no reason to doubt — the email came from Sarah's account.

The wire transfer is sent

Supplier B processes the next invoice. $94,000 is wired to the attacker's account. Acme Corporation discovers the fraud six weeks later when Supplier B calls about the overdue payment.

The attacker was inside the mailbox for 41 days. Sarah never knew the conversation was happening.

✓

With IRM: alert raised at Step 2

The moment the Archive2 rule was created, IRM flagged it — full rule details, the affected mailbox, and risk level. IT investigates. The rule is removed. Sarah's password is reset. No money moves.

Alert raised within minutes of rule creation. Breach contained before any financial damage.

IRM Alert — triggered at Step 2 What your dashboard shows

● HIGH — Rule Created

sarah.chen@example.com
Rule: "Archive2"
Action: Move to folder "Archive2" · Mark as read
From filter: supplier.example.com

Alert raised · 2:14 AM

● MED — Rule Modified

asmith@example.com
Rule: "Payment Received"
ForwardTo changed: none → external address

● LOW — Rule Modified

mjones@example.com
Rule: "Newsletter Archive"
Priority changed: 5 → 8

What IRM monitors

✓Move to folder rules — including hidden folders

✓External forwarding and redirects

✓Delete message rules

✓Mark as read rules

✓Stop processing rules

✓Rule deletions

✓Any combination of the above

Rule Analyzer

Your tenant has inbox rules
you've never seen. Now you can.

Before you can monitor for changes — you need to know what's already there. Rule Analyzer gives you a complete picture of every inbox rule across your entire Microsoft 365 tenant. Most organizations discover rules they never knew existed.

IRM

Inbox Rule Monitor

Monitor

Dashboard

Rule Analyzer

Auth Monitor

Manage

Tenants

System

Logs

Configuration

Total Rules

148

Across all tenants

High Risk

Needs review

Medium Risk

Monitor closely

Low Risk

134

Normal activity

⚠ 2 rules forwarding outside the tenant — review immediately · Affected mailboxes: a.morris, j.whitfield Dismiss

RiskRule NameDescriptionActionStatus / Reviewed

⚑ Amanda Morris a.morris@example.com 3 rules · 1 flagged

● HIGH Archive2 From orders@supplier.example.com → move to Archive2, mark as read, stop processing → Hidden folder ● On ⚑

● LOW Newsletter Filter Subject contains: newsletter, digest → move to Newsletters folder → Folder ● On ✓

⚑ James Whitfield j.whitfield@example.com 5 rules · 1 flagged

● HIGH Fwd All External All messages → forward to external address and delete original message → External fwd ● On ⚑

● MED Vendor Invoices From: invoices@vendor.com → forward to shared mailbox, keep original → Forward ● On —

⚪ Michael Torres m.torres@example.com ✓ 4 rules reviewed

● LOW Marketing Digest Subject contains: digest, weekly update → move to Archive folder → Folder ● On ✓

⚑

Expose prior breaches

Attackers plant rules and walk away. Rule Analyzer finds rules that have been sitting in mailboxes for months — hidden folder rules, silent forwards. Most clients find something on day one.

☰

Every rule, every mailbox

See all inbox rules across your entire tenant organized by user — not one mailbox at a time. Filter by risk, search by name, group by mailbox. Export to CSV for compliance reporting.

⚠

Flag View — suspicious rules only

Switch to Flag View to see only rules that warrant review — external forwards, hidden folder rules, delete-on-arrival rules. Cut through the noise in seconds.

✓

Mark reviewed, track progress

As you work through rules with your client, mark each one reviewed. Build a documented audit trail of your inbox rule environment for compliance and security reporting.

Features

Built for the people responsible
for keeping email secure.

Whether you're an in-house IT admin or managing dozens of client tenants, IRM gives you the visibility that Microsoft 365 doesn't provide out of the box.

Real-time rule detection

Every mailbox, every scan. IRM compares rule snapshots across all tenants and flags any created, modified, or deleted rule — with full before/after details in every alert.

Configurable scan interval

Rule Analyzer

A live view of every inbox rule across every mailbox. Search, filter by risk, group by mailbox, and expand any rule to see exactly what it does. Ideal for baseline audits of new clients.

Audit all rules at a glance

Auth Monitor

Detect new device sign-ins, failed MFA attempts, foreign logins, and brute force patterns across all monitored tenants — sourced from Microsoft 365 audit logs and may be delayed.

Sign-in anomaly detection

Rich alert emails

Every alert includes the affected mailbox, the rule name, what changed, risk level, and recommended action. Before/after comparison included. No log-digging required.

Before/after comparison

Multi-tenant dashboard

Monitor all tenants from one interface. Each client gets independent scan schedules, alert recipients, and rule history. Scales from single-org IT to a 25-tenant MSP operation.

Up to 25 tenants

Zero credentials stored

Certificate-based Azure AD authentication only. No passwords, no OAuth tokens on disk. IRM reads inbox rule configurations and mailbox lists only — it never accesses email content, attachments, calendar data, or any other mailbox data. It cannot modify rules or settings.

Cert-based auth only

Alert emails

Every alert tells the full story.
Right in your inbox.

When IRM detects a suspicious rule change, a detailed HTML alert is delivered instantly — with everything you need to investigate and act, no dashboard login required.

From: RulesMonitor@example.com

To: it-admin@example.com

[IRM] HIGH — Rule Created in jdoe@example.com

Mailbox

jdoe@example.com

Rule Name

Archive2

Detected

Jun 14, 2026 · 2:14 AM

Rule Details

Move toArchive2

Mark readTrue

From filtersupplier.example.com

Stop proc.True

⚠

Risk level — immediately visible

HIGH, MEDIUM, or LOW displayed prominently so you know at a glance whether to act now or review later.

≡

Full rule details included

Every field of the affected rule — move to folder, forwarding address, from filter, mark as read — all shown in the email body. No login required to see what changed.

⇄

Before and after comparison

For modified rules, the email shows exactly what changed — old value crossed out, new value highlighted in green. Spot the difference instantly.

▶

Recommended actions

Every alert includes clear next steps — verify with the user, review related rules, check sign-in activity. Actionable guidance, not just raw data.

Multi-tenant management

All your tenants.
One dashboard.

Add a new tenant in under 5 minutes. Monitor indefinitely. Each organization gets its own scan schedule, alert configuration, and rule history.

Tenants

Mailboxes

Last Scan

Status

Acme Corporation

acme.example.com

2 min ago

● No changes

Globex Corp

globex.example.com

4 min ago

● 1 alert

Initech

initech.example.com

6 min ago

● No changes

Pricing

Simple annual pricing.
No per-seat surprises.

All plans include inbox rule monitoring, Rule Analyzer, real-time email alerts with full rule details, daily digest reports, multi-tenant dashboard, certificate-based authentication, CSV export, and software updates. Contact us for pricing tailored to your organization.

Everything included in every plan

✓Inbox rule monitoring

✓Rule Analyzer

✓Software updates included

✓Real-time email alerts

✓Daily digest reports

✓Multi-tenant dashboard

✓Certificate-based auth

✓CSV & PDF export

✓Email support

Starter

For small business IT teams

25mailboxes

1tenant

Request Access

Start monitoring in under 10 minutes.

No cloud infrastructure required. Installs on any Windows desktop or server. Free trial available.

Request Access contact@sentrivec.com

Attackers hide insideyour mailboxes.IRM finds them.

From suspicious rule to alert — in minutes.

Connect your tenant

Continuous monitoring

Alert raised

The most dangerous inbox rule attacksdon't forward email externally. They hide it.

Your tenant has inbox rulesyou've never seen. Now you can.

Built for the people responsiblefor keeping email secure.

Real-time rule detection

Rule Analyzer

Auth Monitor

Rich alert emails

Multi-tenant dashboard

Zero credentials stored

Every alert tells the full story.Right in your inbox.

All your tenants.One dashboard.

Simple annual pricing.No per-seat surprises.

Start monitoring in under 10 minutes.

Attackers hide inside
your mailboxes.
IRM finds them.

The most dangerous inbox rule attacks
don't forward email externally. They hide it.

Your tenant has inbox rules
you've never seen. Now you can.

Built for the people responsible
for keeping email secure.

Every alert tells the full story.
Right in your inbox.

All your tenants.
One dashboard.

Simple annual pricing.
No per-seat surprises.