M365 Suspicious Mail Forwarding

View all detections
M365 Suspicious Mail Forwarding


  • Mail forwarding which may be used as a collection or exfilltration channel for an adversary has been observed.

Possible Root Causes

  • An external attacker has established persistent access to contents of a specfic mailbox without the need to otherwise maintain any kind of persistence through installing software.
  • Employee life-cycle activities such as a permanent separation or a temporary leave of absence may legitimately require mailbox modifications which could triggering this detection.
  • Emails belonging to executives may be forwarded to their associated administrative assistants.
  • Emails for service accounts may be forwarded to the staff members who manage those services.

Business Impact

  • Attackers who have gained persistence through the email systems may passively collect and exlfiltrate data.
  • Sensitive business information often resides in email systems and may be leaked through e-mail theft.

Steps to Verify

  • Verify if sensitive data has been unintentionally forwarded using this feature.