table of contents
are you looking for a talent to recruit?

discover how we help you!

Suggested URL slug: audit-email-forwarding-rules-microsoft-365

Email forwarding is one of the easiest ways for data to leave Microsoft 365 without much noise. A single rule can send payroll, sales, or legal mail straight to an outside inbox.

That’s why audit email forwarding rules should be part of routine admin work, not an emergency-only task. If a mailbox starts acting oddly, the problem is often hiding in an inbox rule, a mailbox setting, or a transport rule.

Table of contents

What to check first when forwarding looks suspicious

Start with the mailbox that raised the alert. In many incidents, the quickest win is to confirm whether mail is leaving the tenant at all.

Focus on these first checks:

  • Mailbox forwarding. Look for an external ForwardingSmtpAddress or a hidden forwarding target.
  • Inbox rules. Review rules that forward, redirect, delete, or move mail out of sight.
  • Transport rules. Check for org-wide rules that redirect or copy messages.
  • External forwarding policy. Verify whether your tenant allows automatic forwarding outside the organization.
  • Recent changes. Match the rule with a time, user, and sign-in event.

Microsoft’s audit guidance for mailbox rules is useful here because it ties current rules to the audit trail. That matters when you need to prove who changed what, and when.

A forwarding rule is only half the story. The audit log tells you whether it came from a user, an attacker, or an admin task.

Inbox rules, mailbox forwarding, and transport rules are different

These three controls get mixed up all the time, but they behave differently.

Rule typeWhere it livesWhat it can doFirst place to check
Inbox ruleInside one mailboxForward, redirect, move, delete, or mark mailGet-InboxRule
Mailbox forwardingMailbox propertySend all mail to another mailbox or external addressGet-Mailbox
Transport ruleTenant-wide mail flowRedirect, copy, block, or modify messages in transitEAC mail flow rules

Inbox rules are personal and can be hidden. Mailbox forwarding is blunt and easy to spot if you know where to look. Transport rules are broader, so one bad change can affect many users at once.

For policy context, Microsoft’s mail flow rules in Exchange Online explains how transport rules work, while Configure email forwarding in Microsoft 365 covers mailbox-level forwarding.

Audit forwarding in Exchange admin center

The Exchange admin center gives you a quick visual pass, which is useful when you need answers fast.

Use the new EAC to review mail flow settings and the auto forwarded messages report. That report helps you spot users or mailboxes sending mail outside the tenant through automatic forwarding.

A practical flow looks like this:

  1. Open the mailbox or user record and inspect forwarding settings.
  2. Check whether forwarding is set to an internal mailbox or an external address.
  3. Review the auto forwarded messages report for spikes or unusual senders.
  4. Open mail flow rules and look for redirect, copy, or route changes.
  5. Confirm the change date against recent admin activity.
Modern illustration of Microsoft Exchange admin center dashboard showing mail flow rules list with forwarding options highlighted on a centered laptop screen in a clean office desk setting with soft natural lighting.

This view is best for triage. It tells you what is active now, which is the first thing most incidents need.

Audit forwarding with PowerShell

PowerShell gives you the wider view. That matters in larger tenants, because one mailbox check is never enough.

Begin with Get-Mailbox to find accounts that have forwarding set. Then use Get-InboxRule -IncludeHidden to catch rules users may not see in Outlook. For tenant-wide mailbox rule searches, Microsoft’s audit log guidance for mailbox rules and Use the audit log to identify Exchange inbox rules activities are the right references.

A simple workflow is:

  • Pull all mailboxes and filter for forwarding properties.
  • Review inbox rules for ForwardTo, RedirectTo, or DeleteMessage.
  • Search the Microsoft Purview audit log for New-InboxRule, Set-InboxRule, and Remove-InboxRule.
  • Check New-TransportRule, Set-TransportRule, and Remove-TransportRule for org-wide changes.
  • Verify AuditEnabled on the mailbox if the audit trail looks empty.
Modern illustration of PowerShell console window on a computer screen displaying Get-InboxRule output listing forwarding rules in a dark theme terminal, with desk setup including monitor, keyboard, and coffee mug.

If results look thin, check whether the mailbox audit settings were disabled or changed. A weak audit trail slows incident response and makes cleanup harder.

Security risks, misuse patterns, and remediation

As of April 2026, Microsoft has not made major changes to the core forwarding model in Exchange Online. The bigger shift is stronger baseline security, including modern authentication and better default protection. Microsoft’s recommended security settings are worth reviewing alongside forwarding controls.

Common misuse patterns include stolen executive mailboxes, fake payroll forwarding, and rules that hide warning emails. Attackers also love rules that forward only certain subjects or senders, because those are easy to miss.

When you find a bad rule, act in a clear order:

  1. Disable the forwarding setting or rule.
  2. Remove any external target that shouldn’t exist.
  3. Reset the password and revoke active sessions if compromise is possible.
  4. Review sign-in logs and related mail flow changes.
  5. Document the rule, the change time, and the mailbox owner.

If your team needs a repeatable review process, Book a Discovery Call with Bud Consulting.

FAQ

How often should admins audit forwarding rules?

Weekly is a good baseline for high-risk mailboxes, especially finance, HR, and executives. For the rest of the tenant, monthly reviews work well if you also monitor alerts.

What’s the fastest way to find external forwarding?

Check mailbox forwarding properties first, then scan inbox rules for external recipients. After that, open the auto forwarded messages report in Exchange admin center.

Can hidden inbox rules bypass normal checks?

Yes. Hidden rules can still forward or delete messages. That’s why Get-InboxRule -IncludeHidden matters during investigations.

Should transport rules be part of the same audit?

Absolutely. A transport rule can redirect or copy mail across the tenant, so it can create the same risk as a mailbox rule, only at a larger scale.

Keep forwarding under control

The safest Microsoft 365 tenants treat forwarding as a monitored exception, not a normal convenience. When you know where to look, the pattern is easy to follow, mailbox settings, inbox rules, and transport rules each leave a different footprint.

If you keep the audit trail clean and review forwarding on a schedule, suspicious mail has far less room to hide.

post tags :
Cybersecurity Hiring HR Process Leadership Jobs Productivity Research Soft Skills Trending Job Applications Marketing

Leave A Comment

your ideal recruitment agency

view related content