M365 Suspicious Mail Forwarding
Detection overview
Triggers
- Mail forwarding which may be used as a collection or exfilltration channel for an adversary has been observed.
Possible Root Causes
- An external attacker has established persistent access to contents of a specfic mailbox without the need to otherwise maintain any kind of persistence through installing software.
- Employee life-cycle activities such as a permanent separation or a temporary leave of absence may legitimately require mailbox modifications which could triggering this detection.
- Emails belonging to executives may be forwarded to their associated administrative assistants.
- Emails for service accounts may be forwarded to the staff members who manage those services.
Business Impact
- Attackers who have gained persistence through the email systems may passively collect and exlfiltrate data.
- Sensitive business information often resides in email systems and may be leaked through e-mail theft.
Steps to Verify
- Verify if sensitive data has been unintentionally forwarded using this feature.
M365 Suspicious Mail Forwarding
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Mail Forwarding
Example scenarios
M365 Suspicious Mail Forwarding
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspicious Mail Forwarding
Steps to investigate
M365 Suspicious Mail Forwarding
Related detections
No items found.