Triggers
- Mail forwarding which may be used as a collection or exfilltration channel for an adversary has been observed.
Possible Root Causes
- An external attacker has established persistent access to contents of a specfic mailbox without the need to otherwise maintain any kind of persistence through installing software.
- Employee life-cycle activities such as a permanent separation or a temporary leave of absence may legitimately require mailbox modifications which could triggering this detection.
- Emails belonging to executives may be forwarded to their associated administrative assistants.
- Emails for service accounts may be forwarded to the staff members who manage those services.
Business Impact
- Attackers who have gained persistence through the email systems may passively collect and exlfiltrate data.
- Sensitive business information often resides in email systems and may be leaked through e-mail theft.
Steps to Verify
- Verify if sensitive data has been unintentionally forwarded using this feature.