Attackers can silently redirect sensitive mail after they gain access, creating persistence and exfiltration without malware or large downloads. If forwarding and transport-rule changes are treated as routine configuration updates, defenders miss the moment when a mailbox becomes a data-loss channel.
Why This Matters for Security Teams
Mailbox forwarding rules become privileged changes the moment they can redirect sensitive mail outside normal review paths. Treating them as routine admin updates breaks detection, auditability, and containment because an attacker with mailbox or tenant access can create a durable exfiltration channel without malware, encryption, or obvious endpoint signals. That is why NHI Management Group treats forwarding and transport-rule drift as identity and privilege events, not simple hygiene.
The risk is well documented in broader NHI abuse patterns: the Top 10 NHI Issues and the Ultimate Guide to NHIs — Key Challenges and Risks both emphasize that hidden credentialed paths often outlive the initial compromise. When email controls are weakened, the attacker does not need to stay noisy. They only need to preserve a rule that keeps harvesting invoices, resets, executive mail, or legal notices until the tenant is cleaned up.
Practitioners often underestimate how quickly a forwarding rule can turn a mailbox into a data-loss channel, especially when it is created during a legitimate support session or buried among other configuration changes. In practice, many security teams encounter mailbox exfiltration only after business records have already been silently redirected for days or weeks, rather than through intentional monitoring.
How It Works in Practice
Operationally, the control failure is usually simple: a mailbox owner, delegated admin, compromised session, or abused automation token adds forwarding to an external address or modifies transport rules to route copies elsewhere. If the organization does not classify those actions as privileged, the event bypasses the review, alerting, and change-control paths that should apply to high-risk identity changes.
Best practice is to treat forwarding configuration, inbox delegation, and transport-rule edits as sensitive changes with the same rigor used for other privileged access events. That includes alerting on new external forwarding destinations, requiring approval for exceptions, and correlating the change with the identity used to make it. The OWASP Non-Human Identity Top 10 is useful here because it frames secret abuse and privilege misuse as lifecycle problems, not one-time misconfigurations.
In practice, monitoring should include:
- Creation or modification of mailbox forwarding to external domains.
- Transport-rule changes that copy, redirect, or suppress messages.
- Delegated admin actions tied to service accounts or automation identities.
- Mailbox access events immediately followed by rule creation.
- Alerts when forwarding targets are newly registered, personal, or high-risk destinations.
For identity teams, this is also a lifecycle issue. The NHI Lifecycle Management Guide is relevant because mail routing changes should be created, approved, reviewed, and removed with clear ownership and expiry. These controls tend to break down in large tenants with delegated helpdesk privileges, multiple mail platforms, or legacy rules that are already exempt from normal change control.
Common Variations and Edge Cases
Tighter forwarding controls often increase helpdesk friction and exception handling, so organisations have to balance faster support against stronger exfiltration prevention. That tradeoff is real, especially in mergers, regulated business units, and environments where executives use personal assistants or shared mailboxes.
Current guidance suggests treating these exceptions as temporary and explicit, not permanent and implicit. For example, internal journaling, case management, or compliance archiving may resemble forwarding but serve legitimate oversight purposes. The key distinction is whether the rule is visible to security monitoring, tied to an accountable owner, and subject to expiry. Forwarding to an external mailbox without those safeguards should be considered a privileged exposure, not an administrative convenience.
Edge cases also appear when attackers work through transport rules instead of mailbox settings, or when they use OAuth-consented mail apps and delegated permissions to alter mail flow indirectly. In those environments, mailbox-only monitoring is insufficient because the control plane is broader than the inbox itself. In practice, many teams miss compromise until a rule is reused for persistence after password reset, rather than when the forwarding change was first created.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Mailbox forwarding abuse is a lifecycle and privilege misuse problem. |
| NIST CSF 2.0 | PR.AC-4 | Forwarding changes require least-privilege access governance and monitoring. |
| NIST AI RMF | Risk governance applies when identity-driven automation changes mail routing. |
Track forwarding-rule changes as privileged NHI events and review them with expiry, ownership, and revocation.
Related resources from NHI Mgmt Group
- What are the implications of using over-privileged browser extensions?
- What breaks when ownership changes are not monitored on service principals?
- What breaks when business privileged access is monitored only with video recording?
- What breaks when attackers create mailbox rules after account takeover?