Mail forwarding which may be used as a collection or exfilltration channel for an adversary has been observed.
Possible Root Causes
An external attacker has established persistent access to contents of a specfic mailbox without the need to otherwise maintain any kind of persistence through installing software.
Employee life-cycle activities such as a permanent separation or a temporary leave of absence may legitimately require mailbox modifications which could triggering this detection.
Emails belonging to executives may be forwarded to their associated administrative assistants.
Emails for service accounts may be forwarded to the staff members who manage those services.
Business Impact
Attackers who have gained persistence through the email systems may passively collect and exlfiltrate data.
Sensitive business information often resides in email systems and may be leaked through e-mail theft.
Steps to Verify
Verify if sensitive data has been unintentionally forwarded using this feature.
M365 Suspicious Mail Forwarding
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Mail Forwarding
Example scenarios
M365 Suspicious Mail Forwarding
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.