External email forwarding at the mailbox level is one of the most durable post-compromise persistence techniques available to an attacker. Unlike inbox rules, which are created within a user's client, mailbox-level SMTP forwarding is configured directly on the Exchange mailbox object — meaning it forwards a copy of every message silently, regardless of what email client the user is using, and continues operating after the user changes their password or re-enrolls in MFA.
Overe monitors for external forwarding at both the mailbox level (ForwardingAddress and ForwardingSmtpAddress settings) and the tenant level (the Exchange organisation-wide external forwarding policy). Both can be used to establish persistent exfiltration channels. Tenant-level settings that allow unrestricted external forwarding represent a configuration risk even without an active forwarding address in place, because they enable forwarding to be created by any compromised account without administrative approval.
Because this forwarding operates at the Exchange server level — not in the inbox rule engine — it is often overlooked in incident response. Analysts who check inbox rules and find nothing may miss an SMTP forwarding address configured directly on the mailbox. Overe surfaces both.
Forwarding rules affecting individual user mailboxes — particularly those forwarding to consumer domains, unknown addresses, or domains registered recently — carry the highest risk. Forwarding from shared or service mailboxes to known business systems carries lower risk but still requires documentation and review.
Mailbox-level SMTP forwarding is legitimate in specific, documented scenarios. Shared mailboxes forwarding to ticketing platforms, monitoring systems, or helpdesk tools are a common and appropriate use. Shared service mailboxes used for billing, operations, or vendor communications forwarding to a documented external system are acceptable with a named owner and regular review.
Forwarding from individual user mailboxes to external addresses is far less commonly legitimate and warrants closer scrutiny. The most common legitimate case is temporary forwarding during a leave of absence or role transition — but this should be explicitly documented, time-limited, and destination-verified.
Any forwarding rule that sends mail to a consumer domain (Gmail, Outlook.com, Yahoo), an unknown external domain, or an address that cannot be attributed to a known business system should be treated as suspicious until a named owner confirms it intentionally.
Before modifying or removing any external forwarding configuration:
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
Microsoft: Control automatic external email forwarding in Microsoft 365 - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding
Microsoft: Configure email forwarding for a mailbox - https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding
Microsoft: Responding to a compromised email account in Office 365 - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account
Microsoft: Enable or disable mailbox audit logging - https://learn.microsoft.com/en-us/purview/audit-mailboxes
After investigating an external email forwarding alert, review these related risk areas: