Back to GSO Recommendations

External Email Forwarding Rules: Data Exfiltration & Persistence Risk

Why this risk matters

External email forwarding rules are a common technique used after account compromise to exfiltrate data and maintain persistence. Once created, these rules silently forward mail outside the organisation without requiring further user interaction and often remain in place long after the initial breach.

Overe identifies external forwarding rules by continuously monitoring Exchange configuration and mail flow signals. This provides visibility into forwarding behaviour that is frequently overlooked during routine security reviews and incident response.

Forwarding rules affecting user mailboxes — especially those forwarding to consumer or unknown external domains — represent a materially higher risk than rules applied to shared or system mailboxes.

What happens if this is abused

  • Sensitive internal emails are copied to attacker-controlled inboxes
  • Forwarding continues even after password resets or MFA enforcement
  • Business communications leak without triggering endpoint or sign-in alerts
  • Attackers retain access without needing to log in again

Because forwarding operates at the mail flow level, it often bypasses controls designed to protect interactive sign-ins.

When this is expected or acceptable

External forwarding can be legitimate in controlled scenarios, including:

  • Shared mailboxes forwarding to ticketing, alerting, or monitoring platforms
  • Documented workflows involving approved third-party vendors
  • Temporary coexistence during migrations

Legitimate rules are typically:

  • domain-specific
  • documented
  • tied to shared or service mailboxes rather than individual users

Any forwarding rule without a clear business owner should be treated as suspicious until verified.

Checks to perform before taking action

  • Before modifying or removing any forwarding rule:
    • Confirm whether the mailbox is shared, service-based, or user-owned
    • Identify when the rule was created and who created it
    • Validate whether the destination address maps to a known business system
    • Review recent sign-in activity via the Overe Alerts for  risky sign-ins, and OAuth consent events for the mailbox owner
    • Use Overe’s visibility to check whether related risks (e.g. risky apps, MFA gaps) are also present
    These checks help distinguish compromise from misconfiguration.

Safe remediation steps

  1. Use Overe to confirm scope and visibility of all external forwarding rules across the tenant using the "Deep Scan"
  2. Validate legitimacy with the customer or mailbox owner before making changes
  3. If suspicious, disable the forwarding rule first rather than deleting it
  4. Investigate the mailbox for additional indicators of compromise such as any other associated Alerts in Overe
  5. Enforce MFA and rotate credentials where compromise is suspected
  6. Remove the rule once business impact and legitimacy are fully understood

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to safely complete the action.

Supporting documentation

  • Microsoft: Manage inbox rules in Exchange Online - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules

    • Related risks and follow-on checks

    -

    TBD CTA