Back to Threat List

Adversarial Email forward rules

Adversaries set up forwarding rules on your users email inboxes to exfiltrate sensitive data and as a form of insurance in case they lose access to their victim’s email account.

Research:

https://redcanary.com/blog/email-forwarding-rules/

Summary:

Adversaries set up forwarding rules on your users email inboxes to exfiltrate sensitive data and as a form of insurance in case they lose access to their victim’s email account.

Remediation details:

Overe monitors the presence of Forwarding/Transport rules in two locations

As part of the Assess 'Deep Scan' you can run on your tenant here

In real time as an alert activity ' External Email Forwarding Enabled' as potentially malicious forwarding rules are added over time


You can also run a manual report in MSFT :

Check forwarding reports

  1. Navigate to https://admin.exchange.microsoft.com
  2. Click on Reports > Mail Flow
  3. Click on Auto forwarded message report
  4. Review all forwarding rules for suspicious email recipients


Severity
HIGH
Productivity Impact
LOW
Fix Estimate
Protected by Overe