Typically, the rule action is to launch an application on a remote (WebDAV) server. When the mailbox receives a message that matches the conditions of rule, the action of the rule is applied. The attacker sends the trigger email to the compromised mailbox, which is still being used as normal by the unsuspecting user. The rule conditions and message format are tailor-made for each other. The forwarding rule is triggered when the mailbox receives a specific message from the attacker that matches the conditions of the rule. The attacker creates a forwarding Inbox rule in the mailbox. The attacker signs in to that user's Exchange mailbox (Exchange Online or on-premises Exchange). The attacker steals a user's credentials. The attacks typically follow these patterns: The good news is: if you keep your Outlook clients patched to the latest version, you aren't vulnerable to the threat as current Outlook client defaults block both mechanisms. The malware steals credentials or performs other illicit activity. The rules or forms are typically designed to run remote code and install malware on the local machine. When the fresh installation of Outlook connects to the mailbox, all rules and forms are synchronized from the cloud. Reinstalling Outlook, or even giving the affected person a new computer won't help.
Summary Learn how to recognize and remediate the Outlook rules and custom Forms injections attacks in Office 365. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. The improved Microsoft 365 Defender portal is now available.