365 Email Rule containing a forward

Title of the alert: “Email Rule containing a forward”

Description: Alerts when an inbox email rule containing a forward is located, and the domain of the external forward is not one of the locally validated domains (ie, to an external location).


  • It is possible to ignore specific users
  • It is possible to alert on internal destinations if required

The problem: This alert is triggered when a forward option is located in a standard email rule. It is important to note that not all email forwarders are picked up via this check.

Impact: If it was inserted maliciously, then all emails could be ‘copied’ to an external address, resulting in a data breach.

Suggested steps: Engage a technician to confirm that the alert is accurate, and if so then the technician should suggest and undertake suitable mitigation steps to remedy the situation, including password changes and review of all email forwarding rules.