Hidden email forwarding rules: why your Microsoft 365 audit matters

Picture a business in Wrexham running Microsoft 365. An employee sets up a forwarding rule a couple of years ago when working from home, then forgets about it. Nobody checks. Every email that arrives gets silently copied to their personal Gmail account. In the worst case, an attacker steals one staff member’s password and does exactly the same thing, sets up a forwarding rule to an address they control, and they’re reading your company mail without anyone having a clue.

This isn’t a hypothetical. A real Microsoft 365 audit discussed on the Office 365 community turned up 23 forwarding rules nobody remembered setting up. Twelve pointed to external addresses. Six were on accounts that had been fully disabled during staff turnover, disabled, yet still silently forwarding mail out of the business. Most were left behind by legitimate employees who’d created them during remote work and never cleaned up. The problem is that the security fingerprint is identical to what an attacker would set up after stealing credentials.

Why attackers like forwarding rules

Once a forwarding rule is in place, an attacker keeps receiving your email even if the compromised password gets changed, multi-factor authentication gets switched on, or new security patches get applied. It’s a way for them to stay hidden and keep reading. They can filter it to capture only invoices, payroll messages, or anything from HR, the stuff that’s worth money, and the original email still sits in the inbox looking completely normal. To stay invisible, they often name the rules something deliberately obscure: a single full stop, repeated characters, nothing that looks out of place.

The deeper issue is invisibility. Forwarding rules live quietly in the background. Your staff won’t notice them. According to Microsoft’s security guidance, finding them requires deliberately pulling an audit report from Microsoft 365, and most businesses never do.

What to do about it

Start with a deliberate audit. Pull the forwarding rules report from your Microsoft 365 admin centre (Exchange Online, then Mailbox Reports, then “Mailbox with Forward To”). If you’ve never done this before, expect a few surprises. Then work through what you find:

• Check each rule against your current staff. Is it still needed? If someone’s left, have you cleaned up their disabled account?
• If a rule points to a personal address (Gmail, Hotmail, and similar), ask the employee why. Legitimate reasons exist, but document it and review it at least once a year.
• If your business has no genuine reason to forward email externally, block it altogether. Microsoft’s default setting now disables automatic external forwarding, so if you’ve never changed it, you’re already covered. If certain roles do need forwarding, set up monitoring alerts so any new rule triggers a notification. This also pairs neatly with a broader Microsoft 365 licence audit, disabled accounts that still have active forwarding rules are exactly the kind of thing a licence review turns up, and sorting both at once saves time.

The fix isn’t complicated. The work is the audit. If nobody at your business has checked forwarding rules in the last 12 months, Dragon Digital runs this kind of Microsoft 365 security audit for businesses across North Wales, a short conversation could tell you whether you’re carrying silent mail leaks right now.