Office Protect Event - Mail Forwarding Rule(s) to External Destination Created
If an Exchange rule is created to automatically forward emails to a mailbox outside your organization, this event will trigger.
This is a common method used by attackers for data extraction. It automatically sends information quietly out of the business. Office Protect monitors Mail Forwarding Rules from these sources:
- Mail Flow Rules
- Mailbox Forwarding Setting
- Inbox Rules
Any unwanted rules must be disabled through the Exchange Admin Center (EAC).
This situation is an important red flag that your organization may have been compromised. The compromised account should be investigated for other suspicious activity using the Unified Audit Logs. You can look for unwanted behavior from this account, such as:
- Password Change
- SharePoint File Sharing, etc.
Advanced Reporting provides the consolidated forwarding rules that a user can configure in a single report, whether they are external or internal forwarding rules. For user specific Inbox Rules, a detailed report is available through Advanced Reporting.
Office Protect Health Status also keeps you updated with a list of external mail forwarding rules, see Health Status
- Microsoft’s guide for Enabling/Disabling Mailbox Forwarding: https://docs.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019
- Guide for managing Mail Flow Rules: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules
- Microsoft does not support management of Inbox Rules through the Exchange Admin Center, you must use Exchange Online PowerShell if a rule needs to be deleted: https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps
If you don’t know how to work with PowerShell, our support team will be happy to assist you!