A low-severity alert has been triggered emails

%3CLINGO-SUB%20id%3D%22lingo-sub-270324%22%20slang%3D%22en-US%22%3EA%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270324%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20have%20start%20receiving%20%22A%20low-severity%20alert%20has%20been%20triggered%22%26nbsp%3B%20alerts%20today%20%3F%3C%2FP%3E%3CP%3Eis%20this%20normal%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20low-severity%20alert%20has%20been%20triggered%3CBR%20%2F%3ECreation%20of%20forwarding%2Fredirect%20rule%3CBR%20%2F%3ESeverity%3A%20%3F%20Low%3CBR%20%2F%3ETime%3A%2010%2F12%2F2018%207%3A30%3A00%20AM%20(UTC)%3CBR%20%2F%3EActivity%3A%20MailRedirect%3CBR%20%2F%3EUser%3A%20username%40xxxxx.com.sg%3CBR%20%2F%3EDetails%3A%20MailRedirect.%20This%20alert%20is%20triggered%20whenever%20someone%20gets%20access%20to%20read%20your%20user's%20email.%3CBR%20%2F%3EInvestigate%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-270324%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271264%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271264%22%20slang%3D%22en-US%22%3Ehave%20checked%20user%20mailbox.%3CBR%20%2F%3Edid%20not%20find%20any%20new%20forwarding%20rules%20of%20emails%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271062%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271062%22%20slang%3D%22en-US%22%3EYou%20need%20to%20investigate%20this%20a%20well%2C%20as%20that's%20why%20the%20alert%20is%20there.%20There%20are%20lots%20of%20scenarios%20where%20the%20users%20password%20is%20compromised%20and%20a%20malicious%20actor%20puts%20a%20forwarding%20rule%20on%20their%20account.%20You%20need%20to%20check%20every%20time%20you%20get%20this%20or%20other%20alerts%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270533%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270533%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20adding%20a%20link%20to%20the%20documentation%20on%20Alert%20policies%2C%20where%20you%20can%20find%20all%20the%20needed%20details%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Falert-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Falert-policies%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20noted%20there%2C%20some%20alerts%20(such%20as%20the%20forwarding%20one)%20are%20included%20and%20turned%20on%20by%20default%20for%20every%20Enterprise%20plan.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270329%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270329%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20means%20someone%20in%20the%20organization%20set%20up%20an%20forwarding%20rule%20%2Cauto%20forwarding%20or%20forwarding%20mail%20flow%20rule.%20You%20can%20check%20and%20further%20investigate%20this%20in%3A%3C%2FP%3E%3CP%3ESecurity%20and%20Compliance%20Center%26nbsp%3B%20-%20%22Alerts%22%3C%2FP%3E%3CP%3EAlso%20the%20alert%20polices%20can%20be%20configured%20under%20%22alert%20policies%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

we have start receiving "A low-severity alert has been triggered"  alerts today ?

is this normal ?

 

A low-severity alert has been triggered
Creation of forwarding/redirect rule
Severity: ? Low
Time: 10/12/2018 7:30:00 AM (UTC)
Activity: MailRedirect
User: username@xxxxx.com.sg
Details: MailRedirect. This alert is triggered whenever someone gets access to read your user's email.
Investigate

 

4 Replies
Highlighted

This means someone in the organization set up an forwarding rule ,auto forwarding or forwarding mail flow rule. You can check and further investigate this in:

Security and Compliance Center  - "Alerts"

Also the alert polices can be configured under "alert policies"

 

Adam

Highlighted

Just adding a link to the documentation on Alert policies, where you can find all the needed details: https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies

 

As noted there, some alerts (such as the forwarding one) are included and turned on by default for every Enterprise plan.

Highlighted
You need to investigate this a well, as that's why the alert is there. There are lots of scenarios where the users password is compromised and a malicious actor puts a forwarding rule on their account. You need to check every time you get this or other alerts
Highlighted
have checked user mailbox.
did not find any new forwarding rules of emails