We have a rule setup on Exchange online which successfully blocks emails that satisfy a "Block Automatic forwarding of mail to external domains" policy rule.
I can see the report which shows a "rule hit" and get an email notification every time the rule is hit as well. I don't, however, see a report of the evidence of the blocked emails. Is this possible?
So "Show me a list of actual blocked emails" rather than "show me a list of rule hits" if that makes sense.
The problem is I cannot distinguish between rule hits and blocks, as currently, the notification shows:
"Rule Hit: Block Client Forwarding to an external domain, Action: AuditSeverityLevel, RejectMessage, GenerateIncidentReport" but it shows the same message for auto-forwarded emails inside the domain as well.