Managed Sentinel – Alert 139

Alert IDMS-A139
Alert NameMail forwarding enabled to an external email address
DescriptionThis query over Office Activity audit data highlights cases where user mail is being forwarded to an external email address
Severity LevelLow
Threat IndicatorData Theft
MITRE ATT&CK TacticsExfiltration
Log sourcesOffice 365
False PositiveGroup policy change affecting multiple users email accounts
Recommendations1. Review the affected O365 email account and destination email address.
2. Understand if this is a legitimate configuration within organization
3. Review SENT email content to understand if any attachments (confidential data) was sent out of organization.
4. Evaluate if destination email address is on any Threat Intelligence list.
5. Remove forwarder from Office 365 Admin Exchange
6. Reach out to end user and notify the action taken