Forum Discussion

icelava's avatar
icelava
Brass Contributor
Mar 15, 2021

Office SCC - expired email forwarding alerts

Office Security & Compliance Center's alerts generally become useless past a week since the details for the alerts necessary to make informed assessments and judgements get discarded thereafter.

 

For alerts about users creating email forwarding rules (not wholesale mailbox forwarding), are there alternative ways to track back these details? Short of directly signing in as said user, like what Microsoft 365 security recommends.

 

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide#how-to-secure-and-restore-email-function-to-a-suspected-compromised-microsoft-365-account-and-mailbox

 

  • Which details do you mean in particular? You can enumerate rules within user's mailboxes via PowerShell or EWS, and toggle them on/off as needed. To ensure timely discovery, you can configure email notifications for said alerts. The unified audit log will surface any events related to configuring forwarding, and the message trace can give you a clue as to whether forwarding is actually taking place.

Resources