A low-severity alert has been triggered emails

%3CLINGO-SUB%20id%3D%22lingo-sub-270324%22%20slang%3D%22en-US%22%3EA%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270324%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20have%20start%20receiving%20%22A%20low-severity%20alert%20has%20been%20triggered%22%26nbsp%3B%20alerts%20today%20%3F%3C%2FP%3E%3CP%3Eis%20this%20normal%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20low-severity%20alert%20has%20been%20triggered%3CBR%20%2F%3ECreation%20of%20forwarding%2Fredirect%20rule%3CBR%20%2F%3ESeverity%3A%20%3F%20Low%3CBR%20%2F%3ETime%3A%2010%2F12%2F2018%207%3A30%3A00%20AM%20(UTC)%3CBR%20%2F%3EActivity%3A%20MailRedirect%3CBR%20%2F%3EUser%3A%20username%40xxxxx.com.sg%3CBR%20%2F%3EDetails%3A%20MailRedirect.%20This%20alert%20is%20triggered%20whenever%20someone%20gets%20access%20to%20read%20your%20user's%20email.%3CBR%20%2F%3EInvestigate%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-270324%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271264%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271264%22%20slang%3D%22en-US%22%3Ehave%20checked%20user%20mailbox.%3CBR%20%2F%3Edid%20not%20find%20any%20new%20forwarding%20rules%20of%20emails%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271062%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271062%22%20slang%3D%22en-US%22%3EYou%20need%20to%20investigate%20this%20a%20well%2C%20as%20that's%20why%20the%20alert%20is%20there.%20There%20are%20lots%20of%20scenarios%20where%20the%20users%20password%20is%20compromised%20and%20a%20malicious%20actor%20puts%20a%20forwarding%20rule%20on%20their%20account.%20You%20need%20to%20check%20every%20time%20you%20get%20this%20or%20other%20alerts%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270533%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270533%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20adding%20a%20link%20to%20the%20documentation%20on%20Alert%20policies%2C%20where%20you%20can%20find%20all%20the%20needed%20details%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Falert-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Falert-policies%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20noted%20there%2C%20some%20alerts%20(such%20as%20the%20forwarding%20one)%20are%20included%20and%20turned%20on%20by%20default%20for%20every%20Enterprise%20plan.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270329%22%20slang%3D%22en-US%22%3ERe%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270329%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20means%20someone%20in%20the%20organization%20set%20up%20an%20forwarding%20rule%20%2Cauto%20forwarding%20or%20forwarding%20mail%20flow%20rule.%20You%20can%20check%20and%20further%20investigate%20this%20in%3A%3C%2FP%3E%3CP%3ESecurity%20and%20Compliance%20Center%26nbsp%3B%20-%20%22Alerts%22%3C%2FP%3E%3CP%3EAlso%20the%20alert%20polices%20can%20be%20configured%20under%20%22alert%20policies%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1605472%22%20slang%3D%22de-DE%22%3ESubject%3A%20A%20low-severity%20alert%20has%20been%20triggered%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605472%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F224264%22%20target%3D%22_blank%22%3E%40Kin%20Mun%20Yeow%3C%2FA%3E%20%3A%20How%20can%20I%20disable%20this%20automatic%20redirection%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

we have start receiving "A low-severity alert has been triggered"  alerts today ?

is this normal ?

 

A low-severity alert has been triggered
Creation of forwarding/redirect rule
Severity: ? Low
Time: 10/12/2018 7:30:00 AM (UTC)
Activity: MailRedirect
User: username@xxxxx.com.sg
Details: MailRedirect. This alert is triggered whenever someone gets access to read your user's email.
Investigate

 

5 Replies

This means someone in the organization set up an forwarding rule ,auto forwarding or forwarding mail flow rule. You can check and further investigate this in:

Security and Compliance Center  - "Alerts"

Also the alert polices can be configured under "alert policies"

 

Adam

Just adding a link to the documentation on Alert policies, where you can find all the needed details: https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies

 

As noted there, some alerts (such as the forwarding one) are included and turned on by default for every Enterprise plan.

You need to investigate this a well, as that's why the alert is there. There are lots of scenarios where the users password is compromised and a malicious actor puts a forwarding rule on their account. You need to check every time you get this or other alerts
have checked user mailbox.
did not find any new forwarding rules of emails

@Kin Mun Yeow : Wie kann ich diese automatische Umleitung deaktivieren?