In Office 365 Security & Compliance center (protection.office.com), we used to get alerts from policy "Creation of forwarding/redirect rule" when we create rules in Outlook in Windows.

In late March, we one day realised alerts were no longer following in SCC's alerts list; users reporting malicious emails show up in our report-archival mailbox but no corresponding "Email reported by user as malware or phish" alert policy trigger. After a lengthy check with Microsoft support, it appears the backend mechanism/service for flowing these alerts was faulty. Eventually, we were able to see alerts flowing in again.

One odd residual thing though, the "Creation of forwarding/redirect rule" alert only happens if we create forwarding rules in Outlook Web Access (OWA). No alert triggers if we use Outlook in Windows. Support mentions it could be due to the difference between server-side rules and client-side rules.

However, on further inspection, the forwarding rules do not have client-side-only conditions (and it used to work in the past).

• If sender is <certain party>
• Forward to <external email address>
• Stop processing more rules

What other conditions could be in play here?