Overview
This guide contains helpful tips for investigating “365 Alert Policy: Creation of forwarding/redirect rule” findings. It includes helpful background information about the detection and tips for limiting users from creating risky inbox rules in the future.
Events that can trigger “Creation of forwarding/redirect rule” findings
There are several scenarios related to the creation of these forwarding or redirect rule findings. Below are some common cases and tips for investigating each.
| Scenario | Considerations |
| New user mailbox setup | A new user mailbox has been set up within your M365 tenant. As part of the user setting up their mailbox, they may be configuring rules to help with their standard workflows. |
| Automated service or tool configuration | A new service tool or automation is being configured on a mailbox. Part of the services workflow may be to have forwarding rules put in place to move email messages to the proper locations. |
| User mailbox re-configuration | If a mailbox was recently reconfigured by an administrator it may have deleted all of the previously created rules. The owner of the mailbox may be re-creating the rules that were already in place previously as part of their standard workflows. |
| User account compromise | The account has been compromised and is attempting to create new inbox rules to hide any actions that may be taken, leading to a new finding being generated. |
| False Positive | While this is very unlikely, as the finding will only trigger if a rule is actually created and saved, the rule may have been created and then deleted immediately. This would explain why, upon review of the mailbox, an administrator found no active rules. Log review should still be completed to determine all actions taken on the mailbox. |
Investigating the new inbox rule
The creation of a new inbox rule will trigger a finding for your organization if the rule automatically forwards or redirects messages to a different mailbox. The policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell.
These alerts are generated directly from the Microsoft 365 Compliance dashboard. Unfortunately, there is not much detailed information in the log Blumira receives via your Microsoft 365 Cloud Connector, so the quickest way to review the details for this event is to navigate to the Compliance Alerts page and review the open alerts.
You can also use the Blumira Report Builder to see the new inbox rules in your logs.
To review every Inbox Rule action that has been completed on the mailbox over the past 30 days, do the following:
- In Blumira, navigate to Reporting > Report Builder.
- Click View All Saved Reports.
- Search for and select the Microsoft 365: Forwarding Rule Activity Previous 30 Days global report.
- Click Edit Report.
- Click Add Filter and add a filter to the report where
user–Equal–username of mailbox. - Click Submit.
Limiting user inbox rules
There are several policy options available in Microsoft 365 Exchange to limit forwarding rules. These options can help organizations maintain better control over their email flow and reduce security risks associated with automatic email forwarding. Below are some key policy options:
- Transport Rules:
- Create transport rules to block or limit automatic forwarding to external addresses.
- Remote Domain Settings:
- Configure remote domain settings to control automatic forwarding to external domains.
- Outbound Spam Filter Policy:
- Use the outbound spam filter policy to control automatic forwarding.
- You can turn off automatic forwarding completely or limit it to specific users or groups.
- Exchange Online PowerShell:
- Use PowerShell commands to disable automatic forwarding for the entire organization or specific mailboxes.
- Mailbox Forwarding Settings:
- Control forwarding settings at the individual mailbox level.
- Disable the ability for users to set up their own forwarding rules.
- Data Loss Prevention (DLP) Policies:
- Create DLP policies to detect and prevent sensitive information from being forwarded outside the organization.
- Azure AD Conditional Access:
- Use conditional access policies to control access to Exchange Online and limit the ability to create forwarding rules based on various conditions.
- Role-Based Access Control (RBAC):
- Use RBAC to limit who can create or modify forwarding rules.
To implement rule policies, do the following:
- Access the Microsoft 365 Admin Center or Exchange Admin Center.
- Navigate to the appropriate section (e.g., Mail Flow, Transport Rules, Remote Domains).
- Create or modify the rules and policies as needed.
- Test the policies to ensure they work as intended.
- Monitor and adjust the policies as necessary.