Creation of forwarding/redirect rule
So last night this rule triggered for the first time, wasn't really aware of it in the first place.
Time:6/13/2018 10:00:00 PM (UTC)
Details: MailRedirect. This alert is triggered whenever someone gets access to read your user's email.
Description: This alert is triggered when someone in your organization creates an email forwarding or redirect inbox rules using Outlook web app or Powershell -V126.96.36.199
Now to me this is an incredibly frightening message to receive, since this person has access to extremely sensitive financial information. So since I was thinking this person had been compromised, I sprung out of bed, changed the password on the users account, logged in as the user so I could find out where this persons email was going. Come to find out that this person was accessing their OWA and forwarding to another user in the department because they are leaving for vacation.
I have 250 odd users, I couldn't imagine a large environment the staff being barraged by this alert. It would literally numb them to the situation until the day they got compromised and have zero idea because they turned the rule off. It is counter productive to what it is trying to do.
Being summer we have a lot of users that go on vacation (or take days off) that forget to forward email. I have given them instructions to use the OWA in those situations. I would like to suggest in the least, maybe some information like which email account is it being forwarded to as then all a person has to do and look at the message, without having to dig into the issue. Or maybe if the email is being forwarded intercompany that the alert does not trigger.
There does not appear to be a way to edit this alert. It is either on or off.
Not being able to edit this is counter productive to what the rule is attempting to do.
The response I got from a MS support rep was more disgusting.
"Turn it off" "limit who gets the email" (uhh yeah that is me) "set a threshold for amount of messages you get in day" All making the feature useless.
If you want people to use this function, you must make it useful.
We had a standard user get this warning, only Severity said "High", and we are flagging it as Malware. Everything is identical to the above example and as mentioned the large font makes you think it is fake right off the bat. When you hover the mouse over the email section "User" it shows a k.martin@m not the actual email address you see displayed. Also, the "View Alerts" button looks as if it is redirecting to another site; however, I am not sure and not willing to try. Who would get these messages when they are legit? I would think only the Admins not a standard user, right? That was my first thought anyway as to why it wasn't legit. Had it went to someone in IT department then I would probably fallen for it. What procedures does Microsoft have in place to verify things like this? Is there anything set up where you can forward emails from Microsoft that you suspect aren't legit?
I agree with this. And most of the times it doesn't notify you still need to rely on manual script.
Lew Eichorn commented
I agree with everyone! This should be configurable or only alert if off tenant forward.
EM Smith commented
This is a ridiculous alert - I don't care about intracompany forwarding or personal mail sorting rules! I want to know if someone is directing mail out of the company!! But I can't JUST monitor that because this has no customization. The OLD exchange alerts worked properly. Either fix the rule or revert back this feature!
I just had a quick look at the customisation of these alerts. There is a condition you can add to a custom "Creation of forwarding/redirect" rule. It's a User condition and you could theoretically populate the User is 'None of these field with all internal mail addresses. Not ideal for a large tenant, and the administration around maintaining the list would be annoying. I have a small tenant I'm waiting to test this on if the client approves the go ahead.
Had a tenant that got one of these today and BOY does it look a like a "fake" message. The overly large fonts, email structure, etc. But it does appear to be legitimate.
This one definitely needs some work, as per the other comments!
This alert in it's current form is useless. It would be useful if it were for forwarding to external domains. We don't care about forwarding to other users inside our domain, that's not something we need alerts on
This alert would be more useful to auto forwaded to external domains only
The alert would be more useful if we can customize to know if the mails are auto forwaded to external domains
Daniel Mare commented
I have turned off the alert.
I DO, however want to know when they forward email to another domain, e.g. we had an incident of a compromised account and redirect to a @yahoo.com email address being configured.
Unfortunately, because I turned it off, I did not get the alert, but I am not turning it on, because we are simply not resourced to follow up each of the intra-company redirect alerts when 99% are legitimate ones to colleagues.
We had a similar issue with these reports, however we have a huge user base (thousands of users) and use an automated powershell script to change forwarding addresses. We got hundreds of alerts with the account that was being used to make changes, but since the alerts were missing two critical pieces of information - which object was being changed, and what the old & new email addresses were - we thought the account that was making the changes was the account being affected. We called O365 support, and *their* technician thought the same thing. We spent over a week in technical support because even their technicians thought the user listed was the one being changed, before they finally figured out what was going on. For this alert to be useful it needs to include this extra data and possibly the ability to customize the alert so it only fires when forwarding to a non-tenant email address
Agreed, It should be more configurable, like alert me when someone sets a forwarding rule to an external domain, or a list of domains etc
I concur. It's really not intuitive. At least tell me what IP address triggered the event so that I can rest assured that it was done internally or not.