M365 Suspicious Mail Forwarding
Detection overview
The "M365 Suspicious Mail Forwarding" detection identifies instances where email forwarding rules have been created or modified in ways that deviate from normal usage patterns. This detection helps security teams identify potential data exfiltration or the misuse of email forwarding to evade security controls and maintain access to sensitive communication.
Triggers
- Mail forwarding which may be used as a collection or exfilltration channel for an adversary has been observed.
Possible Root Causes
- An external attacker has established persistent access to contents of a specfic mailbox without the need to otherwise maintain any kind of persistence through installing software.
- Employee life-cycle activities such as a permanent separation or a temporary leave of absence may legitimately require mailbox modifications which could triggering this detection.
- Emails belonging to executives may be forwarded to their associated administrative assistants.
- Emails for service accounts may be forwarded to the staff members who manage those services.
Business Impact
- Attackers who have gained persistence through the email systems may passively collect and exlfiltrate data.
- Sensitive business information often resides in email systems and may be leaked through e-mail theft.
Steps to Verify
- Verify if sensitive data has been unintentionally forwarded using this feature.
M365 Suspicious Mail Forwarding
Possible root causes
Malicious Detection
Attackers who have compromised an account often set up forwarding rules to collect incoming emails, exfiltrate sensitive communications, or prevent security alerts from being noticed. This method is particularly effective for long-term data theft as it operates passively and may go unnoticed.
Benign Detection
Legitimate use cases include forwarding emails for business continuity, such as executives redirecting emails to assistants or service accounts forwarding communications to support teams. While these are valid activities, they can sometimes trigger the detection if the behavior is new or unusual.
M365 Suspicious Mail Forwarding
Example scenarios
1. Unauthorized data exfiltration via forwarding rule
An attacker compromises an employee's account and sets a rule to forward all emails containing specific keywords (e.g., "contract" or "confidential") to an external address.
2. Legitimate rule for administrative tasks
An executive forwards emails to their assistant for better task management, but the rule's sudden creation flags an alert for review.
M365 Suspicious Mail Forwarding
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data exfiltration risk
Unauthorized forwarding can result in the leakage of sensitive communications, exposing the organization to data loss and competitive risks.
Compromise of confidentiality
Forwarded emails often contain internal discussions, business strategies, or customer details, all of which could be exploited if exposed externally.
Security alert evasion
Malicious forwarding rules can block alerts or notifications, delaying the detection of breaches and increasing the scope of potential damage.
M365 Suspicious Mail Forwarding
Steps to investigate
Validate new forwarding rules
Review the forwarding rules' recipients and actions to determine if they align with business needs and policies.
Analyze associated account activity
Check for signs of compromise, such as logins from unusual locations or unexpected changes to account settings.
Verify with the account owner
Contact the user to confirm if the new forwarding rules were intentionally created and are legitimate.
Monitor for additional anomalies
Look for other suspicious activities from the same account, such as unauthorized access to files or data.
M365 Suspicious Mail Forwarding
Related detections
FAQs
What types of forwarding rules are suspicious?
Rules redirecting emails to unknown, external, or untrusted addresses are often flagged.
Can legitimate forwarding trigger this detection?
Yes, especially if the forwarding pattern or destination is new or uncommon for the organization.
How do attackers benefit from forwarding emails?
It allows attackers to passively collect sensitive information, remain hidden, and potentially intercept security alerts.
Can forwarding rules bypass email encryption?
Yes, forwarded emails are often decrypted during transmission, exposing sensitive data.
What logs can help investigate this activity?
Microsoft 365 audit logs provide details on rule creation, modifications, and associated account activities.
How can I differentiate malicious from benign activity?
Reviewing the context, such as the recipient's trust level and the account's recent behavior, can help determine intent.
What should I do if malicious forwarding is confirmed?
Immediately disable the rule, investigate the compromised account, and notify affected parties.
Are there automated tools to detect malicious forwarding?
Many security solutions, including Microsoft 365 Defender, offer automated rule monitoring and alerting. Vectra AI complements Microsoft 365 Defender by providing advanced AI-driven detection, cross-environment attack correlation, and prioritized threat insights, enabling holistic security coverage and deeper visibility into sophisticated or hidden threats.
Should I block all external forwarding?
Restricting external forwarding to trusted domains or requiring approvals can mitigate risks without hampering legitimate use.
Are forwarded emails always saved in Sent Items?
No, some forwarding rules bypass Sent Items, making tracking difficult without dedicated monitoring.