Managed Sentinel – Alert 067

Alert IDMS-A067
Alert NameMultiple users forwarding O365 mail to same destination
DescriptionThis query over Office Activity audit data highlights cases where user mail is being forwarded.
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorData Theft
MITRE ATT&CK TacticsExfiltration
Log sourcesOffice 365
False PositiveUnknown
RecommendationsReview the affected O365 email accounts and destination email address.
Review SENT email content to understand if any attachments (confidential data) was sent out of organization.
Evaluate if destination email address is on any Threat Intelligence list.
Remove forwarder from Office 365 Admin Exchange