Forum Discussion
Office SCC - expired email forwarding alerts
Office Security & Compliance Center's alerts generally become useless past a week since the details for the alerts necessary to make informed assessments and judgements get discarded thereafter.
For alerts about users creating email forwarding rules (not wholesale mailbox forwarding), are there alternative ways to track back these details? Short of directly signing in as said user, like what Microsoft 365 security recommends.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide#how-to-secure-and-restore-email-function-to-a-suspected-compromised-microsoft-365-account-and-mailbox
When attempting to [View activity list] and looking at the activity items.
I installed the https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps and was able to see the forwarding rules with https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps.
Thanks
2 Replies
- Which details do you mean in particular? You can enumerate rules within user's mailboxes via PowerShell or EWS, and toggle them on/off as needed. To ensure timely discovery, you can configure email notifications for said alerts. The unified audit log will surface any events related to configuring forwarding, and the message trace can give you a clue as to whether forwarding is actually taking place.
When attempting to [View activity list] and looking at the activity items.
I installed the https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps and was able to see the forwarding rules with https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps.
Thanks
