Attackers often use email forwarding rules to force your email service to send your messages to them even after you change passwords. This “indicator of compromise” is easy to look for and something you should check often. In this article, we’ll show you how to do this it several popular email clients.

Google Suite and Gmail

 1. Log into your Google email Account and click the Gear at the top right

2. Select “Settings” from the gear menu

3. Select “Filters and Blocked Addresses” at the top and review the list for mail filters set up to forward your email without your knowledge

4. Click “Forwarding and POP/IMAP” and make sure there is no forwarding address listed.

Microsoft Office 365,,, Hotmail (Outlook Web Client)

  1. Log into your Outlook web client, select the gear icon at the top right, then click the “View all Outlook Settings” link at the bottom of the resulting menu.

2. Click “Rules” and make sure there are no rules that you did not authorize

3. Click “Forwarding” and make sure forwarding settings are also as expected, and no other (unauthorized) email addresses are listed.

Microsoft Outlook

  1. In Outlook, select “Rules” and “Manage Rules & Alerts”

2. In the “Rules and Alerts” menu, verify that all rules are correct and authorized

Mozilla Thunderbird

  1. Select the Options menu (3 lines) -> Message Filters -> Message Filters

2. Ensure there are no unauthorized filters in this list

Mac Mail (

  1. In Mac Mail, Select Mail -> Preferences

2. Select the “Rules” tab at the top and verify that any rules in the list are expected.

For more information on this topic please reach out to us; we’re here to help!

Did this answer your question?