IT Operations & Cybersecurity Encyclopedia

Mailbox forwarding rule audit guide

Mailbox forwarding rules can be legitimate business tools, but unauthorized forwarding is also a common sign of mailbox compromise and data exposure. A strong audit reviews inbox rules, transport rules, external forwarding policy, audit logs, exceptions, and remediation evidence.

Inbox rulesExternal forwardingAudit logsCompromise indicatorsException evidence

Why it matters

Find risky forwarding before email leaves the organization

Attackers often create forwarding or redirect rules after compromising a mailbox so they can monitor conversations, steal invoices, intercept MFA messages, or support business email compromise.

A useful audit should review user-created inbox rules, admin-created transport rules, external forwarding settings, mailbox audit logs, suspicious names or hidden rules, and approved business exceptions.

This guide is operational planning guidance. It does not replace incident response, legal review, Microsoft support, eDiscovery, or a professional Microsoft 365 security assessment.

Practical rule: Every external forwarding rule should have a business owner, approval record, expiration date, data-risk review, monitoring evidence, and a documented removal path.

Review scope

Mailbox forwarding audit areas

Mailbox forwarding settings

Review forwarding SMTP address, deliver-and-forward behavior, owners, and business justification.

Inbox and redirect rules

Identify rules that forward, redirect, delete, hide, move, or mark messages to reduce user visibility.

Mail flow rules

Review transport rules that route messages externally, bypass controls, or create broad exceptions.

External forwarding control

Validate outbound spam policy, remote domains, tenant-wide restrictions, and approved exceptions.

Compromise evidence

Correlate rule changes with sign-ins, MFA status, risky IPs, audit events, and user reports.

Remediation and review

Remove unauthorized rules, secure accounts, document exceptions, and review recurring changes.

Review matrix

Mailbox forwarding rule audit matrix

AreaWhat to verifyQuestions to answerEvidence
Mailbox settingsReview forwarding address, deliver-and-forward setting, mailbox owner, department, and exception approval.Is mailbox-level forwarding approved and still needed?Mailbox export, owner approval, exception record, and review date.
Inbox rulesReview rules that forward, redirect, delete, move, hide, or mark messages as read.Could rules conceal or exfiltrate email?Inbox rule export, suspicious rule list, timestamps, and remediation tickets.
Transport rulesReview mail flow rules, external recipients, exceptions, priority, bypass behavior, and change history.Can any organization-wide rule send mail externally?Transport rule export, change log, exception list, and approval evidence.
Tenant controlsReview outbound spam policy, external forwarding setting, remote domains, and alerting.Is external auto-forwarding controlled at the tenant level?Policy export, blocked-forwarding samples, exception record, and alert samples.
Compromise checksReview audit logs, sign-ins, MFA status, risky IPs, mailbox alerts, and related suspicious activity.Was the forwarding created by the legitimate user or an attacker?Audit search, sign-in logs, alert timeline, investigation notes, and user confirmation.
RemediationReview rule removal, password reset, token revocation, MFA reset, device review, and notification.Were account and data exposure risks fully addressed?Remediation ticket, rule removal evidence, token/session action, and closure notes.

Step-by-step review

Mailbox forwarding rule audit runbook

1

Export forwarding settings

List mailbox forwarding addresses, deliver-and-forward settings, owners, departments, external domains, and approval status.

2

Review inbox rules

Identify forwarding, redirect, delete, move, hide, mark-as-read, and suspiciously named rules for every priority mailbox.

3

Review transport rules

Check mail flow rules for external recipients, broad scope, bypass conditions, exceptions, and recent changes.

4

Validate tenant controls

Confirm external forwarding policy, remote domain settings, outbound spam policy, and alerts for forwarding attempts.

5

Investigate suspicious findings

Correlate rule timestamps with audit logs, sign-ins, IP reputation, MFA status, device activity, and user confirmation.

6

Remediate and document

Remove unauthorized rules, secure accounts, revoke sessions, review mailbox content exposure, and record approved exceptions.

Common risks

Common mailbox forwarding audit gaps

Hidden exfiltration

Unauthorized forwarding can silently copy sensitive messages to an external address.

Rules that hide evidence

Move, delete, or mark-as-read rules can reduce the chance that users notice compromise.

Broad transport rules

Organization-wide mail flow rules can create larger exposure than a single mailbox rule.

No exception owner

Legitimate forwarding becomes risky when no owner, expiration, or business reason is recorded.

Missing audit correlation

Rule exports alone do not prove whether a rule was created during account compromise.

Incomplete remediation

Removing a rule is not enough if credentials, tokens, sessions, and MFA posture are not reviewed.

Related support

Where IT Perfection can help

IT Perfection can help organizations manage Microsoft 365 administration, mailbox security settings, user support, and email operations.

OC Security Audit can help investigate suspicious forwarding, business email compromise risk, Microsoft 365 security posture, and audit evidence.

Created by Ali Hassani, CISO

Professional Microsoft 365 mailbox security and audit support

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Forwarding rules deserve regular inspection

A disciplined forwarding rule audit helps reduce business email compromise, data exposure, and hidden mailbox monitoring risk.

FAQ

Mailbox forwarding rule audit FAQ

Why audit mailbox forwarding rules?

Unauthorized forwarding and redirect rules are common after mailbox compromise and can expose sensitive business email.

What rules should be considered suspicious?

Rules that forward externally, redirect messages, delete mail, move mail to unusual folders, mark messages as read, or hide messages from the user should be reviewed.

Is removing the rule enough?

No. Review sign-ins, reset credentials if needed, revoke sessions, check MFA, inspect related activity, and determine whether email content was exposed.

What evidence should be kept?

Keep forwarding exports, inbox rule exports, transport rule exports, audit logs, sign-in logs, exception approvals, remediation tickets, and closure notes.