PowerShell and reports
Use Exchange Online PowerShell and admin reports to identify forwarding, inbox rules, and suspicious mailbox configuration.
Hotline: +1 949 777 5567
Email: Info@ITperfection.com
IT Operations & Cybersecurity Encyclopedia
Mailbox Forwarding Rule Audit Guide
Learn how to audit mailbox forwarding rules to detect business email compromise, data leakage, suspicious inbox rules, and unauthorized forwarding.
email forwarding auditbusiness email compromisesuspicious inbox rulesMicrosoft 365 mailbox auditExchange Online forwarding
Forwarding Rules
Forwarding Rules
Audit mailbox forwarding settings, inbox rules, hidden or suspicious rules, transport forwarding, and remote domain settings.
Attackers often create rules that hide messages, forward invoices, delete alerts, or move security notifications.
IT Perfection treats mailbox forwarding rule audit as an operational control: document scope, assign owners, test changes, monitor results, and communicate business impact.
Mailbox forwarding
Inbox rules
Hidden rules
Delete or move rules
Transport forwarding
Remote domains
Business Email Compromise Risk
Forwarding rules are a common persistence and data theft method after email account compromise.
Review rules after suspicious sign-ins, phishing reports, financial fraud, vendor payment changes, and executive impersonation.
Treat suspicious forwarding as a potential incident, not just an admin cleanup item.
Invoice monitoring
Credential theft
Vendor fraud
Executive impersonation
Persistence
Data exfiltration
Audit Logs
Audit logs and mailbox audit data help reconstruct what changed and when.
Review unified audit logs, mailbox audit logs, sign-in logs, admin actions, rule creation, and suspicious client activity.
Preserve evidence before deleting rules in active investigations.
Unified audit log
Mailbox audit log
Sign-in logs
Rule creation events
Admin actions
Evidence preservation
External Forwarding
External forwarding should usually be blocked or tightly controlled.
Review outbound spam policies, remote domains, transport rules, and mailbox-level settings.
Create approved exception workflows with owner, reason, expiration, and monitoring.
Outbound spam policy
Remote domains
Approved exceptions
Expiration dates
Forwarding alerts
Owner review
Detection
Detection should combine admin reports, PowerShell review, Defender alerts, and SIEM monitoring.
Use Exchange Online PowerShell, Defender for Office 365, alert policies, Sentinel, and ticketing to detect risky forwarding and suspicious inbox rules.
Review results monthly and after every BEC investigation.
PowerShell audit
Defender alerts
Alert policies
Sentinel
Ticket workflow
Monthly review
Highlighted Guidance
How to Secure Mailbox Forwarding and Inbox Rules
Forwarding-rule review should combine Exchange Online PowerShell, audit logs, Defender alerts, session revocation, MFA review, and recipient validation before changing evidence during an investigation.
Defender and audit logs
Use Defender for Office 365, audit logs, alert policies, and Sentinel to monitor rule changes and compromised behavior.
Forwarding controls
Block automatic external forwarding by default and document controlled exceptions with expiration dates.
Incident response
For suspicious rules, preserve logs, revoke sessions, reset credentials, review MFA, and investigate mailbox access.
Authoritative references: Get-InboxRule Mailbox auditing Defender for Office 365 FBI BEC guidance NIST CSF MITRE ATT&CK
Business Impact
Why this matters to owners, IT managers, and executives.
Silent data exfiltration
Invoice fraud
BEC persistence
Missed security alerts
Client trust damage
Legal exposure
Compliance gaps
Incident response delays
Recurring Review
Monthly Forwarding Rule Review
Export mailbox forwarding settings.
Review suspicious inbox rules.
Check external forwarding exceptions.
Review sign-in logs for affected users.
Review Defender and audit alerts.
Remove unauthorized rules with evidence preserved.
Document approvals and owners.
Report findings to leadership.
Ali Hassani, CISO
About Ali Hassani
Ali Hassani is a CISO, cybersecurity and IT consultant, and IT infrastructure leader with 25+ years of experience in cybersecurity, compliance, Microsoft environments, network security, managed IT, and business technology operations; his certifications include CISSP, CCISO, CCNP, CCNA, MCSE, MCSA Security, MCITP, MCP, and MCTS.
Ali treats unauthorized forwarding as an incident-response signal because it can expose invoices, legal correspondence, HR data, client messages, and recovery communications.
FAQ
Mailbox Forwarding Rule Audit Guide FAQ
What is mailbox forwarding rule audit?
A mailbox forwarding rule audit checks Exchange Online forwarding, inbox rules, hidden redirection behavior, suspicious external recipients, and mailbox changes that may indicate compromise.
Who should own mailbox forwarding rule audit?
Mailbox-rule audits should be owned by Exchange administrators and security operations, with business managers validating legitimate exceptions and incident response handling suspicious forwarding.
Does this guide replace a professional audit?
Use this audit guide to find forwarding exposure and suspicious rules; suspected business email compromise requires a formal incident response process with evidence preservation.
Contact IT Perfection for mailbox forwarding rule audit support.
IT Perfection can help identify risky mailbox forwarding, review suspicious inbox rules, document exceptions, and coordinate remediation steps when business email compromise is suspected.
Prepared by Ali Hassani, CISO, drawing from 25+ years in cybersecurity, Exchange operations, infrastructure, and compliance support.
