EXT-07HighRecommended Secure

Detect External Mail Forwarding

Guest & External Access control for Microsoft 365 and Entra ID

Why This Control Matters

Attackers commonly set up mail forwarding rules after compromising accounts. These rules silently copy all emails to external addresses, enabling ongoing data theft even after the initial compromise is remediated.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Mailbox forwarding rules to external addresses are identified
2Inbox rules forwarding to external domains are flagged
3No unexpected external forwarding rules exist

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Requires Exchange admin access or Microsoft Graph Reports API

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.