Managed Sentinel – Alert 067

Alert IDMS-A067
Alert NameMultiple users email forwarded to same destination
DescriptionThis query over Office Activity audit data highlights cases where user mail is being forwarded. Identifies when multiple user mailboxes are configured to forward to the same destination.
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.
Severity LevelMedium
Threat IndicatorData Theft
MITRE ATT&CK TacticsCollection
Exfiltration
Log sourcesOffice 365
False PositiveGroup policy change affecting multiple users email accounts
Recommendations1. Review the affected O365 email accounts and destination email address.
2. Understand if this is a legitimate configuration within organization
3. Review SENT email content to understand if any attachments (confidential data) was sent out of organization.
4. Evaluate if destination email address is on any Threat Intelligence list.
5. Remove forwarder from Office 365 Admin Exchange