The "M365 Suspicious Mail Forwarding" detection identifies instances where email forwarding rules have been created or modified in ways that deviate from normal usage patterns. This detection helps security teams identify potential data exfiltration or the misuse of email forwarding to evade security controls and maintain access to sensitive communication.
Attackers who have compromised an account often set up forwarding rules to collect incoming emails, exfiltrate sensitive communications, or prevent security alerts from being noticed. This method is particularly effective for long-term data theft as it operates passively and may go unnoticed.
Legitimate use cases include forwarding emails for business continuity, such as executives redirecting emails to assistants or service accounts forwarding communications to support teams. While these are valid activities, they can sometimes trigger the detection if the behavior is new or unusual.
An attacker compromises an employee's account and sets a rule to forward all emails containing specific keywords (e.g., "contract" or "confidential") to an external address.
An executive forwards emails to their assistant for better task management, but the rule's sudden creation flags an alert for review.
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized forwarding can result in the leakage of sensitive communications, exposing the organization to data loss and competitive risks.
Forwarded emails often contain internal discussions, business strategies, or customer details, all of which could be exploited if exposed externally.
Malicious forwarding rules can block alerts or notifications, delaying the detection of breaches and increasing the scope of potential damage.
Review the forwarding rules' recipients and actions to determine if they align with business needs and policies.
Check for signs of compromise, such as logins from unusual locations or unexpected changes to account settings.
Contact the user to confirm if the new forwarding rules were intentionally created and are legitimate.
Look for other suspicious activities from the same account, such as unauthorized access to files or data.
Rules redirecting emails to unknown, external, or untrusted addresses are often flagged.
Yes, especially if the forwarding pattern or destination is new or uncommon for the organization.
It allows attackers to passively collect sensitive information, remain hidden, and potentially intercept security alerts.
Yes, forwarded emails are often decrypted during transmission, exposing sensitive data.
Microsoft 365 audit logs provide details on rule creation, modifications, and associated account activities.
Reviewing the context, such as the recipient's trust level and the account's recent behavior, can help determine intent.
Immediately disable the rule, investigate the compromised account, and notify affected parties.
Many security solutions, including Microsoft 365 Defender, offer automated rule monitoring and alerting. Vectra AI complements Microsoft 365 Defender by providing advanced AI-driven detection, cross-environment attack correlation, and prioritized threat insights, enabling holistic security coverage and deeper visibility into sophisticated or hidden threats.
Restricting external forwarding to trusted domains or requiring approvals can mitigate risks without hampering legitimate use.
No, some forwarding rules bypass Sent Items, making tracking difficult without dedicated monitoring.