What are mailbox Rules?

Using mailbox rules allows the automation of specific actions on your email accounts incoming and outgoing messages. Inbox rules become a great convenience once you learn how to efficiently use it. Some of the features include creating rules that will change the importance level of messages as they come in, automatically move them to other folders, or delete them based on certain criteria. This can help when preventing overcrowding of your inbox, for example, many people get advertisement messages. You can have all messages with the words "Buy now" deleted upon entering your inbox. Realizing the possibilities of what you could do, the number of rules you have will greatly increase. What if you wanted to view these rules outside of Microsoft Outlook.

About Microsoft Exchange Web Services (EWS)

Exchange is a popular email messaging system from Microsoft that runs on Windows servers. The web services in Exchange provide access to mailbox data stored in Exchange Online. Using the exchange web services, you can access data in outlook in many ways. It allows operations such as message recording, message tracking, and even accessing inbox rules. There exists a cross-platform Python package to interact with eDiscovery endpoints using Exchange Web Services for Exchange 2010 to 2019 and Office 365. Without this package, it would require many more steps to access our inbox rules.

Why mailbox rule scans should be apart of vulnerability scans?

Since 2017, mailbox rule exploits have become more prevalent in cybersecurity attacks. Attackers will gain access to a compromised email account. Then create an auto-forwarding rule that is triggered when the mailbox receives an email that fits their criteria. This way the attacker will automatically get a copy of email information without the user knowing it. This can continue to happen even when the user or IT Administrator changes the password for the account. The forwarding rule will continue to operate until it is deleted. This is why mailbox rule scans are important to email security. In the next sections, I will explain how to build a script to automatically scan the mailbox rules to help you identify potential risks to your information security.

Py-ews

Installation

pip install py-ews

This will install all the the necessary dependencies needed to access your inbox rules.

Implementation

The first step in using py-ews is that you need to create a UserConfiguration object. Think of this as all the connection information for Exchange Web Services.

from pyews import UserConfiguration

userconfig = UserConfiguration(
      'myaccount@company.com',
      'Password1234'
)

Now that you have a UserConfiguration object, we can now use a ServiceEndpoint. This example will demonstrate how you can list all the inbox rules you currently have.

from pyews import UserConfiguration, GetInboxRules


userconfig = UserConfiguration('user_email','user_password')

inboxRules = GetInboxRules('user_email', userconfig).response

for i in inboxRules:
      for j in i:
            print(j, ":",i[j])

Here are the results
Screen-Shot-2020-11-04-at-3.57.24-PM

The GetInboxRules object parameters uses the users email address that he wants to access and the userconfig object that was previously created.

I added the nested loop to print each key and value pair on their own line.
If you'd rather the original format just write omit the nested loop and use the command below.

print(inboxRules)

Note:

Make sure when running this script in the terminal you use the command below. If not, a syntax error will show up.

python name_of_file

You can find the full script at our Github.

Although the blog is over for now, this is not the end. Our next update we will discuss a feature that allows one to access inbox rules that are hidden.


Pierce Taylor, Software Engineer Intern at HacWare. HacWare measures risky cybersecurity behaviors and automates security education to help MSPs combat phishing attacks.

Learn more about HacWare at hacware.com. If you are a Managed Security Service provider (MSSP), we would love to automate your security education services, click here to learn more about our partner program.