I got a great response from my recent post detailing a phishing attack; thanks for that! Some of you asked about how to set an email forward alert. Remember that one component of the recent attack was that the hacker created a rule to auto-forward all messages to an external email account.
Why Worry About an Auto-forward Rule?
At first glance, it might seem like no big deal if a user creates a rule to forward all their messages to another account outside the organization. Maybe someone is taking an extended absence. Maybe you have a consultant that doesn’t check this email account often but wants to be notified when a message comes into the account.
While I can think of a few legitimate reasons for someone setting up an auto-forward rule, I can think of many more bad reasons.
- An employee is planning to leave the organization (or expecting to get laid off) and wants access to their organizational emails after they leave.
- An employee wants to create a copy of intellectual property they created while at work (which means the organization owns the intellectual property).
- A hacker has set an auto-forward rule so they can monitor and respond to email replies.
Good News: You Don’t Have to Set an Email Forward Alert
I thought that setting an email forward alert would be easy. Turns out, it’s easier that I thought! The email auto-forward alert is enabled by default. Here’s how to find it.
Click on your Admin tile, the scroll down the left rail of the screen and select Security and Compliance. From there, you’ll see Alerts. Expand the menu and you’ll see your Alerts options.
In case you’re wondering, here’s what the Alerts Dashboard looks like. Things are pretty boring in CGNET land and we want to keep it that way!
If you select Alert policies, you’ll see a list of policies already in place.
As you can see, you don’t have to set an email forward alert because it’s included as a default policy. There are some other useful alerts as well. I like the Suspicious email sending patterns detected and Elevation of Exchange admin privilege alert policies.
If you select the Email forwarding alert policy, you’ll see a screen that highlights details of the alert policy.
If someone does set up an email auto-forwarding rule, the Creation of forwarding/redirect rule will notify you when this happens. You can go to the Dashboard to see who set up this rule and when they did so. At that point, it’s time to have a conversation with the user, to see if they intentionally set up an auto-forward rule or not. (If CGNET is managing your Office 365 tenant, talk to us about conveying these alerts to you.)
Consider Setting an Email Forwarding Alert for Critical Employees
The default email forwarding alert is fine and will give you insight into activity across the entire organization. You might consider adding to this alert, by setting an email forwarding alert for certain critical employees. For instance, you might define an alert for the President/CEO, the CFO and perhaps the Accounts Payable manager. If any of these email accounts are hacked, damage could be inflicted in a hurry, so you’ll want to give yourself as much time to respond as possible.
If you want to learn all about alerts in Office 365, here’s the article to read. Note that, for the most part, you need to have an Office 365 Enterprise subscription (such as E1 or E3) to access this alert functionality. In some cases, you need an Office 365 E5 subscription, or an Advanced Threat Protection P2 subscription.
Even though you don’t have to set an email forwarding alert, you still must pay attention when an alert comes in. Stay vigilant!