External Email Forwarding Rules: Data Exfiltration & Persistence Risk

Why this risk matters

External email forwarding at the mailbox level is one of the most durable post-compromise persistence techniques available to an attacker. Unlike inbox rules, which are created within a user's client, mailbox-level SMTP forwarding is configured directly on the Exchange mailbox object — meaning it forwards a copy of every message silently, regardless of what email client the user is using, and continues operating after the user changes their password or re-enrolls in MFA.

Overe monitors for external forwarding at both the mailbox level (ForwardingAddress and ForwardingSmtpAddress settings) and the tenant level (the Exchange organisation-wide external forwarding policy). Both can be used to establish persistent exfiltration channels. Tenant-level settings that allow unrestricted external forwarding represent a configuration risk even without an active forwarding address in place, because they enable forwarding to be created by any compromised account without administrative approval.

Because this forwarding operates at the Exchange server level — not in the inbox rule engine — it is often overlooked in incident response. Analysts who check inbox rules and find nothing may miss an SMTP forwarding address configured directly on the mailbox. Overe surfaces both.

Forwarding rules affecting individual user mailboxes — particularly those forwarding to consumer domains, unknown addresses, or domains registered recently — carry the highest risk. Forwarding from shared or service mailboxes to known business systems carries lower risk but still requires documentation and review.

What happens if this is abused

  • Every email received by a compromised mailbox — including password reset requests, MFA verification codes, internal communications, and financial notifications — is forwarded to an attacker-controlled address in real time
  • Forwarding continues operating after the user resets their password and re-enrolls in MFA, because it is a server-side setting not tied to an active session
  • Business email compromise: attacker uses forwarded email to monitor billing workflows, supplier communications, and payment instructions before inserting themselves at the right moment
  • Security notifications — alerts about suspicious sign-ins, admin portal access, or policy changes — are forwarded to the attacker before the legitimate user sees them
  • An insider sets up forwarding before departing to build an ongoing archive of business communications at their new employer
  • Forwarding used alongside mailbox audit bypass to hide the evidence — the attacker disables mailbox auditing to prevent the forwarding activity from appearing in Microsoft Purview logs
  • Attacker registers a lookalike domain and receives forwarded mail while appearing to be a legitimate domain to basic email security checks
  • Data subject to GDPR or other regulatory obligations leaves the organisation without authorisation, constituting a notifiable breach

When this is expected or acceptable

Mailbox-level SMTP forwarding is legitimate in specific, documented scenarios. Shared mailboxes forwarding to ticketing platforms, monitoring systems, or helpdesk tools are a common and appropriate use. Shared service mailboxes used for billing, operations, or vendor communications forwarding to a documented external system are acceptable with a named owner and regular review.

Forwarding from individual user mailboxes to external addresses is far less commonly legitimate and warrants closer scrutiny. The most common legitimate case is temporary forwarding during a leave of absence or role transition — but this should be explicitly documented, time-limited, and destination-verified.

Any forwarding rule that sends mail to a consumer domain (Gmail, Outlook.com, Yahoo), an unknown external domain, or an address that cannot be attributed to a known business system should be treated as suspicious until a named owner confirms it intentionally.

Checks to perform before taking action

Before modifying or removing any external forwarding configuration:

  • Confirm whether the forwarding is configured at the mailbox level (ForwardingSmtpAddress) or via an inbox rule — both can exist simultaneously
  • Check whether the mailbox is a user mailbox, shared mailbox, or service mailbox, as the risk and legitimate use cases differ
  • Identify who configured the forwarding and when — compare against the mailbox owner's sign-in history for anomalies around that date
  • Validate whether the destination address maps to a known and documented business system or partner
  • Check the tenant-level External Email Forwarding policy in the Exchange admin centre — confirm whether the organisational setting allows automatic external forwarding or restricts it
  • Review the same mailbox for inbox forwarding rules and mailbox audit bypass settings, as these are commonly created together with server-level forwarding in post-compromise scenarios
  • Review the mailbox owner's recent sign-in activity in Overe for unfamiliar IPs, devices, or locations around the time the forwarding was created
  • Confirm with the mailbox owner or their manager whether the forwarding was intentionally set up for a known purpose

Safe remediation steps

  1. Use Overe to identify all mailboxes in the tenant with active external forwarding configured, and sort by destination domain to identify consumer or unknown destinations first
  2. Review the tenant-level External Email Forwarding policy in Exchange admin centre — if it is set to allow automatic forwarding, consider restricting it to prevent future forwarding without explicit admin approval
  3. For suspicious forwarding rules, disable the ForwardingSmtpAddress setting on the mailbox before investigating further — disabling is reversible, deletion is harder to audit
  4. If compromise is suspected, also check for inbox-level forwarding rules, mailbox delegation changes, and audit bypass settings on the same mailbox
  5. Enforce MFA and rotate credentials for the affected account where compromise is indicated
  6. Review the mailbox's sent items and access logs for the period the forwarding was active to understand the scope of data that may have been exfiltrated
  7. Where data has been forwarded to an unknown destination over an extended period, assess whether the content includes personal data subject to GDPR — if so, a breach notification assessment may be required
  8. Remove the forwarding configuration only after investigation is complete, to preserve audit evidence during the review

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Disable Direct Send functionality — Disables Direct Send functionality to prevent email spoofing via unauthenticated SMTP.
  • Mark certain file extensions as malware threat — Manages an Anti-Malware Email Threat Policy that specifies file types to look for in attachments and the desired outcome for emails containing them.

Supporting documentation

Related risks and follow-on checks

After investigating an external email forwarding alert, review these related risk areas:

  • Risky Inbox Forwarding Rules — mailbox-level SMTP forwarding and inbox-level forwarding rules are often created together in post-compromise scenarios; check for both
  • Suspicious Inbox Rules — hiding or deleting incoming messages is a common companion tactic alongside forwarding, used to prevent the user from noticing security notifications
  • Mailbox Audit Bypass — attackers frequently disable mailbox audit logging at the same time as setting up forwarding to hide the exfiltration activity from Purview searches
  • Transport Rule Changed — organisation-wide transport rules can also be used to silently BCC all outbound mail to an external address; review alongside mailbox-level forwarding
  • Mailbox Delegation Risk — full-access delegation is another persistence mechanism; check whether any delegation was added at the same time as the forwarding
  • Users with Risky MFA Settings — mailboxes with forwarding configured and weak MFA are at higher risk of the forwarding being attacker-created rather than user-created
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.