top of page

Adversarial Email forward rules

Affects:

1200px-Microsoft_365_logo.png

Severity:

HIGH

Productivity Impact:

LOW

Fix Estimate:

10 minutes

Automatically protected by:

PREMIUM-logo-label-m.png

Sign up for our BETA

Research:

https://redcanary.com/blog/email-forwarding-rules/

Summary:

Adversaries set up forwarding rules on your users email inboxes to exfiltrate sensitive data and as a form of insurance in case they lose access to their victim’s email account.

Remediation details

Check forwarding reports


  1. Navigate to https://admin.exchange.microsoft.com

  2. Click on Reports > Mail Flow

  3. Click on Auto forwarded message report

  4. Review all forwarding rules for suspicious email recipients








bottom of page