CINXE.COM

Hidden Inbox Rules in Microsoft Exchange – Compass Security Blog

<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Hidden Inbox Rules in Microsoft Exchange &#8211; Compass Security Blog</title> <meta name='robots' content='max-image-preview:large' /> <script data-no-defer="1" data-ezscrex="false" data-cfasync="false" data-pagespeed-no-defer data-cookieconsent="ignore"> var ctPublicFunctions = {"_ajax_nonce":"4b1f31a896","_rest_nonce":"6ebea893d7","_ajax_url":"\/wp-admin\/admin-ajax.php","_rest_url":"https:\/\/blog.compass-security.com\/wp-json\/","data__cookies_type":"none","data__ajax_type":"admin_ajax","text__wait_for_decoding":"Decoding the contact data, let us a few seconds to finish. Anti-Spam by CleanTalk","cookiePrefix":"","wprocket_detected":false} </script> <script data-no-defer="1" data-ezscrex="false" data-cfasync="false" data-pagespeed-no-defer data-cookieconsent="ignore"> var ctPublic = {"_ajax_nonce":"4b1f31a896","settings__forms__check_internal":"0","settings__forms__check_external":"0","settings__forms__search_test":"0","settings__data__bot_detector_enabled":"0","blog_home":"https:\/\/blog.compass-security.com\/","pixel__setting":"0","pixel__enabled":false,"pixel__url":null,"data__email_check_before_post":"1","data__cookies_type":"none","data__key_is_ok":true,"data__visible_fields_required":true,"wl_brandname":"Anti-Spam by CleanTalk","wl_brandname_short":"CleanTalk","ct_checkjs_key":179676743,"emailEncoderPassKey":"96ce9d06a11dcbba7128f27771d09be8","bot_detector_forms_excluded":"W10=","advancedCacheExists":false,"varnishCacheExists":false,"wc_ajax_add_to_cart":false} </script> <link rel="alternate" type="application/rss+xml" title="Compass Security Blog &raquo; Feed" href="https://blog.compass-security.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Compass Security Blog &raquo; Comments Feed" href="https://blog.compass-security.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Compass Security Blog &raquo; Hidden Inbox Rules in Microsoft Exchange Comments Feed" href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/blog.compass-security.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://blog.compass-security.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #fff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--accent: #014176;--wp--preset--color--dark-gray: #444;--wp--preset--color--medium-gray: #666;--wp--preset--color--light-gray: #888;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 16px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 24px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--regular: 19px;--wp--preset--font-size--larger: 32px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='ct_public_css-css' href='https://blog.compass-security.com/wp-content/plugins/cleantalk-spam-protect/css/cleantalk-public.min.css?ver=6.42.1' type='text/css' media='all' /> <link rel='stylesheet' id='wp-featherlight-css' href='https://blog.compass-security.com/wp-content/plugins/wp-featherlight/css/wp-featherlight.min.css?ver=1.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='enlighterjs-css' href='https://blog.compass-security.com/wp-content/plugins/enlighter/cache/enlighterjs.min.css?ver=bolAfeK8q5zoJbL' type='text/css' media='all' /> <link rel='stylesheet' id='hemingway_googleFonts-css' href='https://blog.compass-security.com/wp-content/themes/hemingway/assets/css/fonts.css' type='text/css' media='all' /> <link rel='stylesheet' id='hemingway_style-css' href='https://blog.compass-security.com/wp-content/themes/hemingway/style.css?ver=2.3.2' type='text/css' media='all' /> <link rel='stylesheet' id='child-style-css' href='https://blog.compass-security.com/wp-content/themes/compass_security/style.css?ver=21.1.0' type='text/css' media='all' /> <script type="text/javascript" src="https://blog.compass-security.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://blog.compass-security.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" data-pagespeed-no-defer src="https://blog.compass-security.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public-bundle.min.js?ver=6.42.1" id="ct_public_functions-js"></script> <script type="text/javascript" src="https://blog.compass-security.com/wp-content/themes/compass_security/js/featherlight_img.js?ver=6.6.2" id="wp-featherlight-img-js"></script> <link rel="https://api.w.org/" href="https://blog.compass-security.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://blog.compass-security.com/wp-json/wp/v2/posts/3639" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.compass-security.com/xmlrpc.php?rsd" /> <link rel="canonical" href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" /> <link rel='shortlink' href='https://blog.compass-security.com/?p=3639' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://blog.compass-security.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.compass-security.com%2F2018%2F09%2Fhidden-inbox-rules-in-microsoft-exchange%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://blog.compass-security.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.compass-security.com%2F2018%2F09%2Fhidden-inbox-rules-in-microsoft-exchange%2F&#038;format=xml" /> <!--Customizer CSS--> <style type="text/css"> body::selection { background:#014176; } body a { color:#014176; } body a:hover { color:#014176; } .blog-title a:hover { color:#014176; } .blog-menu a:hover { color:#014176; } .blog-search #searchsubmit { background-color:#014176; } .blog-search #searchsubmit { border-color:#014176; } .blog-search #searchsubmit:hover { background-color:#014176; } .blog-search #searchsubmit:hover { border-color:#014176; } .featured-media .sticky-post { background-color:#014176; } .post-title a:hover { color:#014176; } .post-meta a:hover { color:#014176; } .post-content a { color:#014176; } .post-content a:hover { color:#014176; } .blog .format-quote blockquote cite a:hover { color:#014176; } .post-content a.more-link:hover { background-color:#014176; } .post-content input[type="submit"]:hover { background-color:#014176; } .post-content input[type="reset"]:hover { background-color:#014176; } .post-content input[type="button"]:hover { background-color:#014176; } .post-content fieldset legend { background-color:#014176; } .post-content .searchform #searchsubmit { background:#014176; } .post-content .searchform #searchsubmit { border-color:#014176; } .post-content .searchform #searchsubmit:hover { background:#014176; } .post-content .searchform #searchsubmit:hover { border-color:#014176; } .post-categories a { color:#014176; } .post-categories a:hover { color:#014176; } .post-tags a:hover { background:#014176; } .post-tags a:hover:after { border-right-color:#014176; } .post-nav a:hover { color:#014176; } .archive-nav a:hover { color:#014176; } .logged-in-as a { color:#014176; } .logged-in-as a:hover { color:#014176; } .content #respond input[type="submit"]:hover { background-color:#014176; } .comment-meta-content cite a:hover { color:#014176; } .comment-meta-content p a:hover { color:#014176; } .comment-actions a:hover { color:#014176; } #cancel-comment-reply-link { color:#014176; } #cancel-comment-reply-link:hover { color:#014176; } .comment-nav-below a:hover { color:#014176; } .widget-title a { color:#014176; } .widget-title a:hover { color:#014176; } .widget_text a { color:#014176; } .widget_text a:hover { color:#014176; } .widget_rss a { color:#014176; } .widget_rss a:hover { color:#014176; } .widget_archive a { color:#014176; } .widget_archive a:hover { color:#014176; } .widget_meta a { color:#014176; } .widget_meta a:hover { color:#014176; } .widget_recent_comments a { color:#014176; } .widget_recent_comments a:hover { color:#014176; } .widget_pages a { color:#014176; } .widget_pages a:hover { color:#014176; } .widget_links a { color:#014176; } .widget_links a:hover { color:#014176; } .widget_recent_entries a { color:#014176; } .widget_recent_entries a:hover { color:#014176; } .widget_categories a { color:#014176; } .widget_categories a:hover { color:#014176; } .widget_search #searchsubmit { background:#014176; } .widget_search #searchsubmit { border-color:#014176; } .widget_search #searchsubmit:hover { background:#014176; } .widget_search #searchsubmit:hover { border-color:#014176; } #wp-calendar a { color:#014176; } #wp-calendar a:hover { color:#014176; } #wp-calendar tfoot a:hover { color:#014176; } .dribbble-shot:hover { background:#014176; } .widgetmore a { color:#014176; } .widgetmore a:hover { color:#014176; } .flickr_badge_image a:hover img { background:#014176; } .footer .flickr_badge_image a:hover img { background:#014176; } .footer .dribbble-shot:hover img { background:#014176; } .sidebar .tagcloud a:hover { background:#014176; } .footer .tagcloud a:hover { background:#014176; } .credits a:hover { color:#014176; } body#tinymce.wp-editor a { color:#014176; } body#tinymce.wp-editor a:hover { color:#014176; } </style> <!--/Customizer CSS--> <style type="text/css"><!-- Customizer CSS -->::selection { background-color: #014176; }.featured-media .sticky-post { background-color: #014176; }fieldset legend { background-color: #014176; }:root .has-accent-background-color { background-color: #014176; }button:hover { background-color: #014176; }.button:hover { background-color: #014176; }.faux-button:hover { background-color: #014176; }a.more-link:hover { background-color: #014176; }.wp-block-button__link:hover { background-color: #014176; }.is-style-outline .wp-block-button__link.has-accent-color:hover { background-color: #014176; }.wp-block-file__button:hover { background-color: #014176; }input[type="button"]:hover { background-color: #014176; }input[type="reset"]:hover { background-color: #014176; }input[type="submit"]:hover { background-color: #014176; }.post-tags a:hover { background-color: #014176; }.content #respond input[type="submit"]:hover { background-color: #014176; }.search-form .search-submit { background-color: #014176; }.sidebar .tagcloud a:hover { background-color: #014176; }.footer .tagcloud a:hover { background-color: #014176; }.is-style-outline .wp-block-button__link.has-accent-color:hover { border-color: #014176; }.post-tags a:hover:after { border-right-color: #014176; }a { color: #014176; }.blog-title a:hover { color: #014176; }.blog-menu a:hover { color: #014176; }.post-title a:hover { color: #014176; }.post-meta a:hover { color: #014176; }.blog .format-quote blockquote cite a:hover { color: #014176; }:root .has-accent-color { color: #014176; }.post-categories a { color: #014176; }.post-categories a:hover { color: #014176; }.post-nav a:hover { color: #014176; }.archive-nav a:hover { color: #014176; }.comment-meta-content cite a:hover { color: #014176; }.comment-meta-content p a:hover { color: #014176; }.comment-actions a:hover { color: #014176; }#cancel-comment-reply-link { color: #014176; }#cancel-comment-reply-link:hover { color: #014176; }.widget-title a { color: #014176; }.widget-title a:hover { color: #014176; }.widget_text a { color: #014176; }.widget_text a:hover { color: #014176; }.widget_rss a { color: #014176; }.widget_rss a:hover { color: #014176; }.widget_archive a { color: #014176; }.widget_archive a:hover { color: #014176; }.widget_meta a { color: #014176; }.widget_meta a:hover { color: #014176; }.widget_recent_comments a { color: #014176; }.widget_recent_comments a:hover { color: #014176; }.widget_pages a { color: #014176; }.widget_pages a:hover { color: #014176; }.widget_links a { color: #014176; }.widget_links a:hover { color: #014176; }.widget_recent_entries a { color: #014176; }.widget_recent_entries a:hover { color: #014176; }.widget_categories a { color: #014176; }.widget_categories a:hover { color: #014176; }#wp-calendar a { color: #014176; }#wp-calendar a:hover { color: #014176; }#wp-calendar tfoot a:hover { color: #014176; }.wp-calendar-nav a:hover { color: #014176; }.widgetmore a { color: #014176; }.widgetmore a:hover { color: #014176; }</style><!-- /Customizer CSS --><link rel="icon" href="https://blog.compass-security.com/wp-content/uploads/2017/03/compass_128x128.png" sizes="32x32" /> <link rel="icon" href="https://blog.compass-security.com/wp-content/uploads/2017/03/compass_128x128.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://blog.compass-security.com/wp-content/uploads/2017/03/compass_128x128.png" /> <meta name="msapplication-TileImage" content="https://blog.compass-security.com/wp-content/uploads/2017/03/compass_128x128.png" /> <style type="text/css" id="wp-custom-css"> .cli-switch input:checked + .cli-slider { background-color: rgb(1, 65, 118); } .cli-tab-footer .wt-cli-privacy-accept-btn { background-color: rgb(1, 65, 118); } .post-content .horizontal-scroll code { overflow: auto; white-space: pre; word-wrap: normal; } </style> </head> <body class="post-template-default single single-post postid-3639 single-format-standard wp-featherlight-captions"> <div class="big-wrapper"> <div class="header-cover section bg-dark-light no-padding"> <div class="header section" style="background-image: url(https://blog.compass-security.com/wp-content/themes/compass_security/images/header.png);"> <div class="header-inner section-inner"> <div class="blog-info"> <h2 class="blog-title"> <a href="https://blog.compass-security.com" title="Compass Security Blog &mdash; Offensive Defense" rel="home">Compass Security Blog</a> </h2> <h3 class="blog-description">Offensive Defense</h3> </div> <!-- /blog-info --> </div> <!-- /header-inner --> </div> <!-- /header --> </div> <!-- /bg-dark --> <div class="navigation section no-padding bg-dark"> <div class="navigation-inner section-inner"> <div class="toggle-container hidden"> <div class="nav-toggle toggle"> <div class="bar"></div> <div class="bar"></div> <div class="bar"></div> <div class="clear"></div> </div> <div class="search-toggle toggle"> <div class="metal"></div> <div class="glass"></div> <div class="handle"></div> </div> <div class="clear"></div> </div> <!-- /toggle-container --> <div class="blog-search hidden"> <form method="get" class="searchform" action="https://blog.compass-security.com/"> <input type="search" value="" placeholder="Search" name="s" id="s"/> <input type="submit" id="searchsubmit" value="Search"> </form> </div> <ul class="blog-menu"> <li id="menu-item-4780" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-4780"><a href="https://blog.compass-security.com/">Home</a></li> <li id="menu-item-4781" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4781"><a href="https://blog.compass-security.com/archive/">Archive</a></li> <li id="menu-item-4782" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4782"><a href="https://blog.compass-security.com/contact/">Contact</a></li> <li id="menu-item-4783" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4783"><a href="https://blog.compass-security.com/mailing-list-tigerinfo/">Newsletter</a></li> <li id="menu-item-4793" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4793"><a href="https://twitter.com/compasssecurity"><i class="fa fa-twitter" aria-hidden="true"></i></a></li> <li id="menu-item-4794" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4794"><a href="https://ch.linkedin.com/company/compass-security-ag"><i class="fa fa-linkedin" aria-hidden="true"></i></a></li> <li id="menu-item-4792" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4792"><a href="https://compass-security.com/"><i class="fas fa-globe" aria-hidden="true"></i></a></li> <li class="header-search"> <form method="get" id="menusearchsm2" class="searchform" action="https://blog.compass-security.com/"> <input type="search" value="" placeholder="Search" name="s" id="sm2"/> <div class="search-lupe"> <div class="metal"></div> <div class="glass"></div> <div class="handle"></div> </div> </form> </li> <!-- TODO where to place the logo if wanted --> <div class="clear"></div> </ul> <ul class="mobile-menu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-4780"><a href="https://blog.compass-security.com/">Home</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4781"><a href="https://blog.compass-security.com/archive/">Archive</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4782"><a href="https://blog.compass-security.com/contact/">Contact</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4783"><a href="https://blog.compass-security.com/mailing-list-tigerinfo/">Newsletter</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4793"><a href="https://twitter.com/compasssecurity"><i class="fa fa-twitter" aria-hidden="true"></i></a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4794"><a href="https://ch.linkedin.com/company/compass-security-ag"><i class="fa fa-linkedin" aria-hidden="true"></i></a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4792"><a href="https://compass-security.com/"><i class="fas fa-globe" aria-hidden="true"></i></a></li> </ul> </div> <!-- /navigation-inner --> </div> <!-- /navigation --> <div class="wrapper section-inner"> <div class="content left"> <div class="posts"> <div id="post-3639" class="post-3639 post type-post status-publish format-standard hentry category-forensic category-research-2 category-talk category-windows tag-ems tag-exchange tag-mapi-http tag-mfcmapi tag-outlook tag-owa"> <div class="post-header"> <h1 class="post-title"><a href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" rel="bookmark" title="Hidden Inbox Rules in Microsoft Exchange">Hidden Inbox Rules in Microsoft Exchange</a></h1> <div class="post-meta"> <span class="post-date"><a href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" title="Hidden Inbox Rules in Microsoft Exchange">September 17, 2018</a></span> <span class="date-sep"> / </span> <span class="post-author"><a href="https://blog.compass-security.com/author/dpfammat/" title="Posts by Damian Pfammatter" rel="author">Damian Pfammatter</a></span> <span class="date-sep"> / </span> <a href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/#respond"><span class="comment">0 Comments</span></a> </div> </div> <!-- /post-header --> <div class="post-content"> <div style="border: 0px solid gray; padding: 16px; margin: 0px; background-color: #eeeeee; font-size: 15px;"> <p><strong style="font-size: 20px;">Contents</strong></p> <ul> <li><a href="#Title1">Introduction</a></li> <li><a href="#Title2">Attack</a> <ul> <li><a href="#Title2-1">Overview</a></li> <li><a href="#Title2-2">Step-by-Step</a></li> </ul> </li> <li><a href="#Title3">Detection</a> <ul> <li><a href="#Title3-1">Email Clients</a></li> <li><a href="#Title3-2">Administration Tools</a></li> <li><a href="#Title3-3">Exchange Compliance Features</a></li> <li><a href="#Title3-4">MAPI Editor</a></li> </ul> </li> <li><a href="#Title4">Eradication</a></li> <li><a href="#Title5">Microsoft Security Response Center</a></li> <li><a href="#Title6">Swiss Cyber Storm 2018</a></li> <li><a href="#Title7">Conclusion</a></li> <li><a href="#Title8">References</a></li> </ul> </div> <h3 id="Title1">Introduction</h3> <hr style="width: 100%;" /> <p>In recent investigations, Compass recognized a raise in popularity for attackers to compromise Microsoft Exchange credentials. As one of the first steps after having obtained the credentials (most commonly through phishing), attackers created malicious inbox rules to copy in- and outgoing emails of their victim. The attacker&#8217;s goal hereby was to guarantee access to emails even after the compromised credentials were changed.</p> <p>Once a compromised account is detected, such malicious inbox rules are typically easy to spot and remove. In fact, they often represent valuable indicators of compromise that can be used to identify other compromised accounts.</p> <p>In this article, we present an undocumented method that can be used to hide such inbox rules. These hidden rules remain functional, but are no longer visible in popular email clients and Exchange administration tools (on-premise and Office365 environments). The described method comes from our own research and has so far not been observed in the wild. However, similar methods might exist and could be used by cyber criminals.</p> <p>In case of a compromised Exchange account, changing credentials might not be enough to stop the leakage of sensitive information. This article shows that the situation might even be worse, in the sense that not even a search for suspicious rules by your Exchange administrator, might be sufficient. An in-depth forensic investigation might be required.</p> <h3 id="Title2">Attack</h3> <hr style="width: 100%;" /> <h4 id="Title2-1">Overview</h4> <p>The attack consists of the following 5 steps:</p> <p><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/Flowchart.png" target="_blank" rel="noopener noreferrer"><img fetchpriority="high" decoding="async" class="wp-image-3670 aligncenter" src="https://blog.compass-security.com/wp-content/uploads/2018/09/Flowchart.png" alt="Attack Overview" width="330" height="405" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/Flowchart.png 391w, https://blog.compass-security.com/wp-content/uploads/2018/09/Flowchart-244x300.png 244w" sizes="(max-width: 330px) 100vw, 330px" /></a><br /> The main focus of this article lies on step 4. The described method for hiding inbox rules, was &#8211; to the best of our knowledge – so far undocumented. Step 4 has therefore been reported to Microsoft&#8217;s Security Response Center. Their reply is included later on in this article.</p> <h4 id="Title2-2">Step-by-Step</h4> <p><strong>Steps 1/2</strong><br /> We assume that an attacker successfully completed steps 1 and 2, meaning that she has opened the victim&#8217;s mailbox in Outlook.</p> <p><strong>Steps 3</strong><br /> As a next step, the attacker uses Outlook&#8217;s wizard to create a rule on the victim&#8217;s inbox. For example, the following rule could copy all incoming emails and forward them to an attacker-controlled address.</p> <div id="attachment_3698" style="width: 860px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/CreateInboxRule.png" target="_blank" rel="noopener noreferrer"><img decoding="async" aria-describedby="caption-attachment-3698" class="size-full wp-image-3698" src="https://blog.compass-security.com/wp-content/uploads/2018/09/CreateInboxRule.png" alt="Create Inbox Rule" width="850" height="663" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/CreateInboxRule.png 850w, https://blog.compass-security.com/wp-content/uploads/2018/09/CreateInboxRule-300x234.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/CreateInboxRule-768x599.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/CreateInboxRule-676x527.png 676w" sizes="(max-width: 850px) 100vw, 850px" /></a><p id="caption-attachment-3698" class="wp-caption-text">Creating an inbox rule in Outlook</p></div> <p>After finishing the wizard, the newly created rule is enabled and visible in Outlook&#8217;s &#8220;Rules and Alerts&#8221; dialog.</p> <div id="attachment_3701" style="width: 587px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowInboxRule.png" target="_blank" rel="noopener noreferrer"><img decoding="async" aria-describedby="caption-attachment-3701" class="size-full wp-image-3701" src="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowInboxRule.png" alt="Show Inbox Rule" width="577" height="476" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowInboxRule.png 577w, https://blog.compass-security.com/wp-content/uploads/2018/09/ShowInboxRule-300x247.png 300w" sizes="(max-width: 577px) 100vw, 577px" /></a><p id="caption-attachment-3701" class="wp-caption-text">Showing the inbox rule in Outlook</p></div> <p><strong>Steps 4</strong><br /> In step 3, the attacker created a regular inbox rule to steal a victim&#8217;s incoming emails. The goal of step 4 is to hide this rule. With hiding we mean that the rule remains functional, but is neither displayed in popular email clients (such as Outlook and OWA), nor is it returned by Exchange administration tools (e.g. Exchange Management Shell).</p> <p>To achieve this, the attacker makes use of Microsoft&#8217;s Messaging API. MAPI is a middleware that messaging applications (such as Outlook) can use to access the messaging subsystem of Windows. To demonstrate the attack of making an inbox rule hidden, we use a MAPI client called &#8220;MFCMapi&#8221; (recently renamed to &#8220;Microsoft Exchange Server Messaging API Editor&#8221;)[<a href="#Title8">Ref. #1</a>]. MFCMapi allows us to view and set low-level contents (raw data) of underlying Exchange storage databases.</p> <p>The screenshot below shows the raw inbox rule, created in step 3, opened in MFCMapi.</p> <div id="attachment_3704" style="width: 686px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3704" class="size-large wp-image-3704" src="https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1-1024x652.png" alt="Open Inbox Rule" width="676" height="430" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1-1024x652.png 1024w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1-300x191.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1-768x489.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1-676x430.png 676w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule1.png 1026w" sizes="(max-width: 676px) 100vw, 676px" /></a><p id="caption-attachment-3704" class="wp-caption-text">Opening inbox rule in MFCMapi</p></div> <p>The whole magic for making the rule hidden, is to empty the following 2 properties of the inbox&#8217;s &#8220;Associated Content Table&#8221;:</p> <ul> <li>PR_RULE_MSG_NAME &lt;&#8211; Empty ANSI String</li> <li>PR_RULE_MSG_PROVIDER &lt;&#8211; Empty ANSI String</li> </ul> <div id="attachment_3706" style="width: 686px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3706" class="size-large wp-image-3706" src="https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2-1024x652.png" alt="Open Inbox Rule" width="676" height="430" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2-1024x652.png 1024w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2-300x191.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2-768x489.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2-676x430.png 676w, https://blog.compass-security.com/wp-content/uploads/2018/09/OpenInboxRule2.png 1026w" sizes="(max-width: 676px) 100vw, 676px" /></a><p id="caption-attachment-3706" class="wp-caption-text">Tampering rule properties in MFCMapi</p></div> <p>As we will see in a moment, deleting this 2 properties makes an inbox rule invisible to common messaging applications, as well as to Exchange administration tools.</p> <p>Such an inbox rule is therefore much more difficult to detect, both from the perspective of a victim, but also from its administrator.</p> <p><strong>Steps 5</strong><br /> How to take advantage of a stealthy forwarding rule is outside the scope of this article.</p> <p><strong>Note: </strong>To automate the described attack, steps 2-4 could be scripted. Analogous to some messaging applications (e.g. Outlook), remote access to mailboxes could be handled using the MAPI over HTTP protocol [<a href="#Title8">Ref. #2</a>].</p> <h3 id="Title3">Detection</h3> <hr style="width: 100%;" /> <h4 id="Title3-1">Email Clients</h4> <p>When looking back at Outlook, the inbox rule, tampered in step 4, no longer appears. Also, Outlook does not show any warnings giving the victim an indication of a corrupted inbox rule.</p> <div id="attachment_3714" style="width: 587px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3714" class="size-full wp-image-3714" src="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule.png" alt="Show Inbox Rule" width="577" height="476" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule.png 577w, https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule-300x247.png 300w" sizes="(max-width: 577px) 100vw, 577px" /></a><p id="caption-attachment-3714" class="wp-caption-text">Showing the tampered inbox rule in Outlook</p></div> <p>The same applies for Outlook Web Access (OWA).</p> <div id="attachment_3716" style="width: 968px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule2.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3716" class="size-full wp-image-3716" src="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule2.png" alt="Show Inbox Rule" width="958" height="458" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule2.png 958w, https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule2-300x143.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule2-768x367.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/ShowModifiedInboxRule2-676x323.png 676w" sizes="(max-width: 958px) 100vw, 958px" /></a><p id="caption-attachment-3716" class="wp-caption-text">Showing the tampered inbox rule in OWA</p></div> <h4 id="Title3-2">Administration Tools</h4> <p>Next, we show that the tampered rule is not returned in the Exchange Management Shell (EMS). The EMS is a command line interface that enables administrators to manage Exchange servers.</p> <p>With the EMS, inbox rules and their properties can be listed using the &#8220;Get-InboxRule&#8221; cmdlet. The below screenshot shows the regular inbox rule that the attacker created in step 3 above.</p> <div id="attachment_3718" style="width: 934px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS1.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3718" class="size-full wp-image-3718" src="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS1.png" alt="Get-InboxRule" width="924" height="174" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS1.png 924w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS1-300x56.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS1-768x145.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS1-676x127.png 676w" sizes="(max-width: 924px) 100vw, 924px" /></a><p id="caption-attachment-3718" class="wp-caption-text">Listing the regular inbox rules using the EMS</p></div> <p>After the attacker performed step 4, i.e. after she cleared the afore mentioned properties, the rule is no longer returned. Despite still being functional, the rule does therefore not popup to an administrator using the EMS (or other admin tools relying on the EMS) while investigate a suspicious mailbox.</p> <div id="attachment_3719" style="width: 699px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS2.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3719" class="size-full wp-image-3719" src="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS2.png" alt="Get-InboxRule" width="689" height="27" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS2.png 689w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS2-300x12.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS2-676x26.png 676w" sizes="(max-width: 689px) 100vw, 689px" /></a><p id="caption-attachment-3719" class="wp-caption-text">Listing the tampered inbox rule using the EMS</p></div> <p>Even a Microsoft-provided PowerShell script [<a href="#Title8">Ref. #3</a>], recommended for investigating compromised accounts, relies on the mentioned cmdlet. The script is therefore not usable to detect or remove any inbox rules made hidden with the here listed method.</p> <div id="attachment_3720" style="width: 933px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/PowerShellScript.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3720" class="size-full wp-image-3720" src="https://blog.compass-security.com/wp-content/uploads/2018/09/PowerShellScript.png" alt="Remediation Script" width="923" height="260" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/PowerShellScript.png 923w, https://blog.compass-security.com/wp-content/uploads/2018/09/PowerShellScript-300x85.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/PowerShellScript-768x216.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/PowerShellScript-676x190.png 676w" sizes="(max-width: 923px) 100vw, 923px" /></a><p id="caption-attachment-3720" class="wp-caption-text">Microsoft&#8217;s PowerShell script to remediate breached accounts relies on the &#8220;Get-InboxRule&#8221; cmdlet</p></div> <p><strong>Note: </strong>The help of the &#8220;Get-InboxRule&#8221; cmdlet lists a flag named &#8220;IncludeHidden&#8221;. However, when showing the help in full details (Get-Help Get-InboxRule -full), one can see that the flag is reserved for Microsoft internal use. It is therefore not usable to detect rules that were made hidden by the method described in step 4.</p> <div id="attachment_3722" style="width: 936px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS3.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3722" class="size-full wp-image-3722" src="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS3.png" alt="Get-InboxRule" width="926" height="189" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/EMS3.png 926w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS3-300x61.png 300w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS3-768x157.png 768w, https://blog.compass-security.com/wp-content/uploads/2018/09/EMS3-676x138.png 676w" sizes="(max-width: 926px) 100vw, 926px" /></a><p id="caption-attachment-3722" class="wp-caption-text">Showing the &#8220;IncludeHidden&#8221; flag of the Get-InboxRule cmdlet</p></div> <h4 id="Title3-3">Exchange Compliance Features</h4> <p>Evidence of hidden forwarding rules, transferring messages to other mailboxes, might be found in the &#8220;Message Tracking&#8221; compliance features of Exchange (enabled by default). The logs will include an entry for each forwarded message. Note however that rules with other actions, such as deleting selected messages before being read by the victims, would not be tracked by &#8220;Message Tracking&#8221;.</p> <h4 id="Title3-4">MAPI Editor</h4> <p>The currently only way known to us, how to reliably detect hidden inbox rules, is through the use of a MAPI editor such as &#8220;MFCMapi&#8221;. The tool allows us to get raw access to the underlaying storage database and to list corrupted or suspicious rules.</p> <h3 id="Title4">Eradication</h3> <hr style="width: 100%;" /> <p>The best way to remove hidden inbox rules is again through a MAPI editor such as &#8220;MFCMapi&#8221;. Alternatively, you can run Outlook with the &#8220;/cleanrules&#8221; flag. This however removes all the rules on the corresponding mailbox (not only the hidden ones).</p> <div id="attachment_3725" style="width: 409px" class="wp-caption aligncenter"><a href="https://blog.compass-security.com/wp-content/uploads/2018/09/CleanOutlookRules.png" target="_blank" rel="noopener noreferrer"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3725" class="size-full wp-image-3725" src="https://blog.compass-security.com/wp-content/uploads/2018/09/CleanOutlookRules.png" alt="Clean Outlook Rules" width="399" height="206" srcset="https://blog.compass-security.com/wp-content/uploads/2018/09/CleanOutlookRules.png 399w, https://blog.compass-security.com/wp-content/uploads/2018/09/CleanOutlookRules-300x155.png 300w" sizes="(max-width: 399px) 100vw, 399px" /></a><p id="caption-attachment-3725" class="wp-caption-text">Clearing inbox rules in Outlook</p></div> <p>Unfortunately, both these methods are not easily applicable corporation-wide (but only on individual mailboxes).</p> <h3 id="Title5">Microsoft Security Response Center</h3> <hr style="width: 100%;" /> <p>We informed the security response center of Microsoft about the identified way to hide inbox rules. Here is what they replied:</p> <p><em>“[…] Our engineering team investigated the behavior that you described. They determined that it is not considered a security issue because it requires control of the account to create these rules. However, they are considering ways to improve the software in the future.&#8221;</em></p> <p><em>&#8220;[…] MSRC will not be tracking the issue and we won&#8217;t have future updates about it […]”</em></p> <p>We will leave the reply without further comment. Be aware that in case of a compromised Exchange account, solely changing the accounts credentials and reviewing inbox rules by your administrator might not necessarily stop an attacker from gaining access to a victim&#8217;s emails. An in-depth forensic investigation might be required.</p> <h3 id="Title6">Swiss Cyber Storm 2018</h3> <hr style="width: 100%;" /> <p>Compass Security is a Silver Sponsor at this year&#8217;s Swiss Cyber Storm security conference [<a href="#Title8">Ref. #4</a>]. We will have a talk were we further elaborate on the topic of hidden inbox rules. Join us for the talk, or visit our booth and play a round of darts to win some beers.</p> <h3 id="Title7">Conclusion</h3> <hr style="width: 100%;" /> <p>In this article, we described a method for creating Exchange inbox rules that are not shown by Outlook/OWA and the Exchange Management Shell. The precondition to this is that an attacker has access to the victim&#8217;s mailbox. Changing a victim&#8217;s credentials and looking for existing inbox rules by your Exchange administrator might not be sufficient for the detection of such rules. Microsoft is not considering the described method as a security issue.</p> <h3 id="Title8">References</h3> <hr style="width: 100%;" /> <ol> <li>MFCMapi Editor<br /> <a href="https://archive.codeplex.com/?p=mfcmapi">https://archive.codeplex.com/?p=mfcmapi</a></li> <li>MAPI over HTTP<br /> <a href="https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http">https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http</a></li> <li>Disable Mailforwarding to External Domains<br /> <a href="https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/">https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/</a></li> <li>Swiss Cyber Storm Conference<br /> <a href="https://www.swisscyberstorm.com">https://www.swisscyberstorm.com</a></li> </ol> </div> <!-- /post-content --> <div class="clear"></div> <div class="post-meta-bottom"> <p class="post-categories"><span class="category-icon"><span class="front-flap"></span></span> <a href="https://blog.compass-security.com/category/forensic/" rel="category tag">Forensic</a>, <a href="https://blog.compass-security.com/category/research-2/" rel="category tag">Research</a>, <a href="https://blog.compass-security.com/category/talk/" rel="category tag">Talk</a>, <a href="https://blog.compass-security.com/category/windows/" rel="category tag">Windows</a></p> <p class="post-tags"><a href="https://blog.compass-security.com/tag/ems/" rel="tag">EMS</a><a href="https://blog.compass-security.com/tag/exchange/" rel="tag">Exchange</a><a href="https://blog.compass-security.com/tag/mapi-http/" rel="tag">MAPI/HTTP</a><a href="https://blog.compass-security.com/tag/mfcmapi/" rel="tag">MFCMapi</a><a href="https://blog.compass-security.com/tag/outlook/" rel="tag">Outlook</a><a href="https://blog.compass-security.com/tag/owa/" rel="tag">OWA</a></p> <div class="clear"></div> <div class="post-nav"> <a class="post-nav-older" title="Previous post: Area41 2018 Wrap Up" href="https://blog.compass-security.com/2018/06/area41-2018-wrap-up/"> <h5>Previous post</h5> Area41 2018 Wrap Up </a> <a class="post-nav-newer" title="Next post: Substitutable Message Service" href="https://blog.compass-security.com/2018/10/substitutable-message-service/"> <h5>Next post</h5> Substitutable Message Service </a> <div class="clear"></div> </div> <!-- /post-nav --> </div> <!-- /post-meta-bottom --> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="comment-reply-title">Leave a Reply <small><a rel="nofollow" id="cancel-comment-reply-link" href="/2018/09/hidden-inbox-rules-in-microsoft-exchange/#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://blog.compass-security.com/wp-comments-post.php" method="post" id="commentform" class="comment-form"><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p><p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required" /></p> <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required" /></p> <input id="honeypot-field-url" style="display: none;" autocomplete="off" name="url" type="text" value="" size="30" maxlength="200" /> <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment" /> <input type='hidden' name='comment_post_ID' value='3639' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> </p><input type="hidden" id="ct_checkjs_b6d767d2f8ed5d21a44b0e5886680cb9" name="ct_checkjs" value="0" /><script>setTimeout(function(){var ct_input_name = "ct_checkjs_b6d767d2f8ed5d21a44b0e5886680cb9";if (document.getElementById(ct_input_name) !== null) {var ct_input_value = document.getElementById(ct_input_name).value;document.getElementById(ct_input_name).value = document.getElementById(ct_input_name).value.replace(ct_input_value, '179676743');}}, 1000);</script></form> </div><!-- #respond --> </div> <!-- /post --> </div> <!-- /posts --> </div> <!-- /content --> <div class="sidebar right" role="complementary"> <div id="recent-posts-8" class="widget widget_recent_entries"><div class="widget-content"> <h3 class="widget-title">Recent Posts</h3> <ul> <li> <a href="https://blog.compass-security.com/2024/12/harvesting-gitlab-pipeline-secrets/">Harvesting GitLab Pipeline Secrets</a> </li> <li> <a href="https://blog.compass-security.com/2024/11/a-look-back-insights-from-our-managed-bug-bounty-program/">A Look Back: Insights from Our Managed Bug Bounty Program</a> </li> <li> <a href="https://blog.compass-security.com/2024/10/email-email-on-the-wall-who-sent-you-after-all/">Email, Email on the Wall, Who Sent You, After All?</a> </li> <li> <a href="https://blog.compass-security.com/2024/10/voice-cloning-with-deep-learning-models/">Voice  Cloning with Deep Learning Models</a> </li> <li> <a href="https://blog.compass-security.com/2024/10/com-cross-session-activation/">COM Cross-Session Activation</a> </li> </ul> </div></div><div id="categories-4" class="widget widget_categories"><div class="widget-content"><h3 class="widget-title">Categories</h3><form action="https://blog.compass-security.com" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name='cat' id='cat' class='postform'> <option value='-1'>Select Category</option> <option class="level-0" value="222">APT&nbsp;&nbsp;(8)</option> <option class="level-0" value="452">Authentication&nbsp;&nbsp;(16)</option> <option class="level-0" value="606">Bug Bounty&nbsp;&nbsp;(6)</option> <option class="level-0" value="567">Entra ID&nbsp;&nbsp;(1)</option> <option class="level-0" value="479">Evasion&nbsp;&nbsp;(3)</option> <option class="level-0" value="116">Event&nbsp;&nbsp;(34)</option> <option class="level-0" value="207">Exploiting&nbsp;&nbsp;(17)</option> <option class="level-0" value="7">Forensic&nbsp;&nbsp;(24)</option> <option class="level-0" value="9">Hacking-Lab&nbsp;&nbsp;(18)</option> <option class="level-0" value="105">Hardening&nbsp;&nbsp;(33)</option> <option class="level-0" value="356">Incident Response&nbsp;&nbsp;(13)</option> <option class="level-0" value="136">Industrial Control Systems&nbsp;&nbsp;(14)</option> <option class="level-0" value="231">Information Leakage&nbsp;&nbsp;(7)</option> <option class="level-0" value="311">Internet of Things&nbsp;&nbsp;(14)</option> <option class="level-0" value="576">Job&nbsp;&nbsp;(1)</option> <option class="level-0" value="106">Linux&nbsp;&nbsp;(8)</option> <option class="level-0" value="226">Log Management&nbsp;&nbsp;(6)</option> <option class="level-0" value="477">Machine Learning&nbsp;&nbsp;(3)</option> <option class="level-0" value="478">Malware Detection&nbsp;&nbsp;(6)</option> <option class="level-0" value="239">Mobile&nbsp;&nbsp;(10)</option> <option class="level-0" value="240">Networking&nbsp;&nbsp;(13)</option> <option class="level-0" value="208">OS X&nbsp;&nbsp;(1)</option> <option class="level-0" value="10">Patch&nbsp;&nbsp;(6)</option> <option class="level-0" value="64">Penetration Test&nbsp;&nbsp;(54)</option> <option class="level-0" value="417">Red Teaming&nbsp;&nbsp;(10)</option> <option class="level-0" value="111">Research&nbsp;&nbsp;(72)</option> <option class="level-0" value="65">Reversing&nbsp;&nbsp;(13)</option> <option class="level-0" value="175">Risk Assessment&nbsp;&nbsp;(10)</option> <option class="level-0" value="561">Scam&nbsp;&nbsp;(1)</option> <option class="level-0" value="135">Standards&nbsp;&nbsp;(10)</option> <option class="level-0" value="453">SuisseID&nbsp;&nbsp;(1)</option> <option class="level-0" value="63">Talk&nbsp;&nbsp;(22)</option> <option class="level-0" value="331">Tools&nbsp;&nbsp;(24)</option> <option class="level-0" value="5">Training&nbsp;&nbsp;(19)</option> <option class="level-0" value="1">Uncategorized&nbsp;&nbsp;(19)</option> <option class="level-0" value="8">Vulnerability&nbsp;&nbsp;(44)</option> <option class="level-0" value="54">Web Application&nbsp;&nbsp;(50)</option> <option class="level-0" value="454">Web Server&nbsp;&nbsp;(13)</option> <option class="level-0" value="451">Windows&nbsp;&nbsp;(29)</option> <option class="level-0" value="298">Wireless&nbsp;&nbsp;(6)</option> <option class="level-0" value="329">Write-up&nbsp;&nbsp;(26)</option> </select> </form><script type="text/javascript"> /* <![CDATA[ */ (function() { var dropdown = document.getElementById( "cat" ); function onCatChange() { if ( dropdown.options[ dropdown.selectedIndex ].value > 0 ) { dropdown.parentNode.submit(); } } dropdown.onchange = onCatChange; })(); /* ]]> */ </script> </div></div><div id="tag_cloud-7" class="widget widget_tag_cloud"><div class="widget-content"><h3 class="widget-title">Tags</h3><div class="tagcloud"><a href="https://blog.compass-security.com/tag/active-directory/" class="tag-cloud-link tag-link-84 tag-link-position-1" style="font-size: 15.241379310345pt;" aria-label="Active Directory (9 items)">Active Directory</a> <a href="https://blog.compass-security.com/tag/advanced-metering-infrastructure/" class="tag-cloud-link tag-link-144 tag-link-position-2" style="font-size: 9.9310344827586pt;" aria-label="Advanced Metering Infrastructure (5 items)">Advanced Metering Infrastructure</a> <a href="https://blog.compass-security.com/tag/advisory/" class="tag-cloud-link tag-link-60 tag-link-position-3" style="font-size: 11.620689655172pt;" aria-label="Advisory (6 items)">Advisory</a> <a href="https://blog.compass-security.com/tag/ami/" class="tag-cloud-link tag-link-145 tag-link-position-4" style="font-size: 8pt;" aria-label="AMI (4 items)">AMI</a> <a href="https://blog.compass-security.com/tag/android/" class="tag-cloud-link tag-link-193 tag-link-position-5" style="font-size: 8pt;" aria-label="Android (4 items)">Android</a> <a href="https://blog.compass-security.com/tag/application-security/" class="tag-cloud-link tag-link-103 tag-link-position-6" style="font-size: 9.9310344827586pt;" aria-label="Application Security (5 items)">Application Security</a> <a href="https://blog.compass-security.com/tag/asfws/" class="tag-cloud-link tag-link-125 tag-link-position-7" style="font-size: 20.793103448276pt;" aria-label="ASFWS (16 items)">ASFWS</a> <a href="https://blog.compass-security.com/tag/asp-net/" class="tag-cloud-link tag-link-194 tag-link-position-8" style="font-size: 14.034482758621pt;" aria-label="ASP.NET (8 items)">ASP.NET</a> <a href="https://blog.compass-security.com/tag/black-hat/" class="tag-cloud-link tag-link-186 tag-link-position-9" style="font-size: 15.241379310345pt;" aria-label="Black Hat (9 items)">Black Hat</a> <a href="https://blog.compass-security.com/tag/bloodhound/" class="tag-cloud-link tag-link-436 tag-link-position-10" style="font-size: 11.620689655172pt;" aria-label="bloodhound (6 items)">bloodhound</a> <a href="https://blog.compass-security.com/tag/burp/" class="tag-cloud-link tag-link-263 tag-link-position-11" style="font-size: 8pt;" aria-label="Burp (4 items)">Burp</a> <a href="https://blog.compass-security.com/tag/conference/" class="tag-cloud-link tag-link-202 tag-link-position-12" style="font-size: 18.862068965517pt;" aria-label="Conference (13 items)">Conference</a> <a href="https://blog.compass-security.com/tag/ctf/" class="tag-cloud-link tag-link-280 tag-link-position-13" style="font-size: 20.793103448276pt;" aria-label="CTF (16 items)">CTF</a> <a href="https://blog.compass-security.com/tag/cve/" class="tag-cloud-link tag-link-441 tag-link-position-14" style="font-size: 9.9310344827586pt;" aria-label="CVE (5 items)">CVE</a> <a href="https://blog.compass-security.com/tag/defcon/" class="tag-cloud-link tag-link-118 tag-link-position-15" style="font-size: 9.9310344827586pt;" aria-label="Defcon (5 items)">Defcon</a> <a href="https://blog.compass-security.com/tag/dfir/" class="tag-cloud-link tag-link-297 tag-link-position-16" style="font-size: 9.9310344827586pt;" aria-label="DFIR (5 items)">DFIR</a> <a href="https://blog.compass-security.com/tag/exchange/" class="tag-cloud-link tag-link-248 tag-link-position-17" style="font-size: 9.9310344827586pt;" aria-label="Exchange (5 items)">Exchange</a> <a href="https://blog.compass-security.com/tag/hardening/" class="tag-cloud-link tag-link-76 tag-link-position-18" style="font-size: 17.172413793103pt;" aria-label="Hardening (11 items)">Hardening</a> <a href="https://blog.compass-security.com/tag/html/" class="tag-cloud-link tag-link-134 tag-link-position-19" style="font-size: 9.9310344827586pt;" aria-label="HTML (5 items)">HTML</a> <a href="https://blog.compass-security.com/tag/insomnihack/" class="tag-cloud-link tag-link-330 tag-link-position-20" style="font-size: 20.068965517241pt;" aria-label="Insomni&#039;hack (15 items)">Insomni&#039;hack</a> <a href="https://blog.compass-security.com/tag/less/" class="tag-cloud-link tag-link-108 tag-link-position-21" style="font-size: 9.9310344827586pt;" aria-label="less (5 items)">less</a> <a href="https://blog.compass-security.com/tag/linux-2/" class="tag-cloud-link tag-link-110 tag-link-position-22" style="font-size: 9.9310344827586pt;" aria-label="Linux (5 items)">Linux</a> <a href="https://blog.compass-security.com/tag/logging/" class="tag-cloud-link tag-link-228 tag-link-position-23" style="font-size: 12.827586206897pt;" aria-label="Logging (7 items)">Logging</a> <a href="https://blog.compass-security.com/tag/microsoft/" class="tag-cloud-link tag-link-195 tag-link-position-24" style="font-size: 17.896551724138pt;" aria-label="Microsoft (12 items)">Microsoft</a> <a href="https://blog.compass-security.com/tag/ntlm/" class="tag-cloud-link tag-link-465 tag-link-position-25" style="font-size: 9.9310344827586pt;" aria-label="ntlm (5 items)">ntlm</a> <a href="https://blog.compass-security.com/tag/penetration-testing/" class="tag-cloud-link tag-link-266 tag-link-position-26" style="font-size: 8pt;" aria-label="Penetration Testing (4 items)">Penetration Testing</a> <a href="https://blog.compass-security.com/tag/phishing/" class="tag-cloud-link tag-link-336 tag-link-position-27" style="font-size: 9.9310344827586pt;" aria-label="phishing (5 items)">phishing</a> <a href="https://blog.compass-security.com/tag/poc/" class="tag-cloud-link tag-link-37 tag-link-position-28" style="font-size: 9.9310344827586pt;" aria-label="PoC (5 items)">PoC</a> <a href="https://blog.compass-security.com/tag/privilege-escalation/" class="tag-cloud-link tag-link-320 tag-link-position-29" style="font-size: 9.9310344827586pt;" aria-label="Privilege Escalation (5 items)">Privilege Escalation</a> <a href="https://blog.compass-security.com/tag/pwn2own/" class="tag-cloud-link tag-link-574 tag-link-position-30" style="font-size: 11.620689655172pt;" aria-label="Pwn2Own (6 items)">Pwn2Own</a> <a href="https://blog.compass-security.com/tag/relay/" class="tag-cloud-link tag-link-162 tag-link-position-31" style="font-size: 9.9310344827586pt;" aria-label="relay (5 items)">relay</a> <a href="https://blog.compass-security.com/tag/research/" class="tag-cloud-link tag-link-30 tag-link-position-32" style="font-size: 22pt;" aria-label="Research (18 items)">Research</a> <a href="https://blog.compass-security.com/tag/saml/" class="tag-cloud-link tag-link-262 tag-link-position-33" style="font-size: 12.827586206897pt;" aria-label="SAML (7 items)">SAML</a> <a href="https://blog.compass-security.com/tag/saml-raider/" class="tag-cloud-link tag-link-265 tag-link-position-34" style="font-size: 9.9310344827586pt;" aria-label="SAML Raider (5 items)">SAML Raider</a> <a href="https://blog.compass-security.com/tag/security/" class="tag-cloud-link tag-link-114 tag-link-position-35" style="font-size: 11.620689655172pt;" aria-label="Security (6 items)">Security</a> <a href="https://blog.compass-security.com/tag/sharepoint/" class="tag-cloud-link tag-link-196 tag-link-position-36" style="font-size: 9.9310344827586pt;" aria-label="SharePoint (5 items)">SharePoint</a> <a href="https://blog.compass-security.com/tag/smart-grid/" class="tag-cloud-link tag-link-137 tag-link-position-37" style="font-size: 8pt;" aria-label="Smart Grid (4 items)">Smart Grid</a> <a href="https://blog.compass-security.com/tag/social-engineering/" class="tag-cloud-link tag-link-15 tag-link-position-38" style="font-size: 11.620689655172pt;" aria-label="Social Engineering (6 items)">Social Engineering</a> <a href="https://blog.compass-security.com/tag/sudo/" class="tag-cloud-link tag-link-107 tag-link-position-39" style="font-size: 9.9310344827586pt;" aria-label="sudo (5 items)">sudo</a> <a href="https://blog.compass-security.com/tag/sudoers/" class="tag-cloud-link tag-link-109 tag-link-position-40" style="font-size: 9.9310344827586pt;" aria-label="sudoers (5 items)">sudoers</a> <a href="https://blog.compass-security.com/tag/vulnerability-2/" class="tag-cloud-link tag-link-27 tag-link-position-41" style="font-size: 19.586206896552pt;" aria-label="Vulnerability (14 items)">Vulnerability</a> <a href="https://blog.compass-security.com/tag/web/" class="tag-cloud-link tag-link-268 tag-link-position-42" style="font-size: 8pt;" aria-label="web (4 items)">web</a> <a href="https://blog.compass-security.com/tag/web-security/" class="tag-cloud-link tag-link-289 tag-link-position-43" style="font-size: 11.620689655172pt;" aria-label="Web Security (6 items)">Web Security</a> <a href="https://blog.compass-security.com/tag/xss/" class="tag-cloud-link tag-link-51 tag-link-position-44" style="font-size: 17.172413793103pt;" aria-label="XSS (11 items)">XSS</a> <a href="https://blog.compass-security.com/tag/xxe/" class="tag-cloud-link tag-link-104 tag-link-position-45" style="font-size: 11.620689655172pt;" aria-label="XXE (6 items)">XXE</a></div> </div></div> </div><!-- .sidebar --> <div class="clear"></div> </div> <!-- /wrapper --> <div class="footer section large-padding bg-dark"> <div class="footer-inner section-inner"> <div class="column column-1 left"> <div class="widgets"> <div id="block-10" class="widget widget_block"><div class="widget-content"><h3 class="widget-title">Compass Links</h3> <ul class="xoxo blogroll"> <li><a href="https://www.compass-security.com/en/" target="_blank">Compass Website</a></li> <li><a href="https://www.compass-security.com/en/products/filebox/" target="_blank">FileBox</a></li> <li><a href="https://www.hacking-lab.com/" target="_blank">Hacking-Lab</a></li> <li><a href="https://www.compass-security.com/en/imprint" target="_blank">Impressum</a></li> <li><a href="https://www.compass-security.com/en/legal" target="_blank">Legal</a></li> <li><a href="https://blog.compass-security.com/feed/" target="_blank">RSS Feed</a></li> </ul></div></div> </div> </div> <!-- /footer-a --> <!-- /footer-b --> <div class="clear"></div> </div> <!-- /footer-inner --> </div> <!-- /footer --> <div class="credits section bg-dark no-padding"> <div class="credits-inner section-inner"> <p class="credits-left"> &copy; 2024 <a href="https://blog.compass-security.com" title="Compass Security Blog">Compass Security Blog</a> </p> <p class="credits-right"> <span><a title="To the top" class="tothetop">Up &uarr;</a> </p> <div class="clear"></div> </div> <!-- /credits-inner --> </div> <!-- /credits --> </div> <!-- /big-wrapper --> <script type="text/javascript" src="https://blog.compass-security.com/wp-includes/js/comment-reply.min.js?ver=6.6.2" id="comment-reply-js" async="async" data-wp-strategy="async"></script> <script type="text/javascript" src="https://blog.compass-security.com/wp-content/themes/compass_security/js/search.js?ver=6.6.2" id="child_search-js"></script> <script type="text/javascript" src="https://blog.compass-security.com/wp-content/themes/hemingway/assets/js/global.js?ver=2.3.2" id="hemingway_global-js"></script> <script type="text/javascript" src="https://blog.compass-security.com/wp-content/plugins/wp-featherlight/js/wpFeatherlight.pkgd.min.js?ver=1.3.4" id="wp-featherlight-js"></script> <script type="text/javascript" src="https://blog.compass-security.com/wp-content/plugins/enlighter/cache/enlighterjs.min.js?ver=bolAfeK8q5zoJbL" id="enlighterjs-js"></script> <script type="text/javascript" id="enlighterjs-js-after"> /* <![CDATA[ */ !function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":2,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"break","linenumbers":true,"theme":"godzilla","language":"generic","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""}};(e.EnlighterJSINIT=function(){EnlighterJS.init(o.selectors.block,o.selectors.inline,o.options)})()}else{(n&&(n.error||n.log)||function(){})("Error: EnlighterJS resources not loaded yet!")}}(window,console); /* ]]> */ </script> </body> </html> <!-- Performance optimized by Redis Object Cache. Learn more: https://wprediscache.com Retrieved 1605 objects (473 KB) from Redis using PhpRedis (v6.0.2). -->

Pages: 1 2 3 4 5 6 7 8 9 10