Notifications
Clear all
Topic starter
27/06/2026 1:42 pm
TL;DR: Email security gaps now extend beyond the inbox, because phishing and BEC messages auto-forwarded into CRMs or ticketing tools can persist after remediation and remain visible to users with no threat context, according to Abnormal AI. The real control problem is upstream inspection across forwarding paths, not just inbox cleanup.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams handle phishing messages that auto-forward into business apps?
A: Security teams should treat auto-forwarded mail as part of the email attack surface, not as a separate business workflow problem.
Q: Why do forwarded emails create a control gap in hybrid mail environments?
A: Forwarded emails create a gap because remediation controls are often built for a cloud mailbox, while hybrid Exchange and shared mailbox paths can sit outside that coverage.
Q: What do teams get wrong about securing CRMs and ticketing tools that ingest email?
A: Teams often assume the downstream application is the problem, when the real issue is the trust boundary created by mail routing.
Practitioner guidance
- Map every auto-forwarding path Document which mailboxes, aliases, shared inboxes, and transport rules feed Salesforce, Zendesk, ServiceNow, or other downstream systems.
- Move inspection ahead of forwarding Place the control at the mail-flow stage that executes before downstream routing, because inbox remediation cannot reliably remove copies already handed to another system.
- Inventory hybrid and group mailbox gaps List Exchange on-premises mailboxes and Google Groups Collaborative Inboxes separately, then verify which paths lack post-delivery remediation APIs or cloud API reach.
What's in the full announcement
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- The exact Microsoft 365 mail-flow setup with two Exchange connectors and a transport rule before forwarding occurs.
- How Threat Log and Search and Respond are used to review malicious messages and investigate false positives.
- How Message Remediation Settings can be tuned to focus on malicious mail or widen coverage to spam and borderline messages.
- The planned expansion to Google Workspace, Google Groups Collaborative Inboxes, and hybrid on-premises mailboxes.
👉 Read Abnormal AI's analysis of auto-forwarded email risk in downstream tools →
Email auto-forwarding into CRMs and ticketing tools: are your controls keeping up?
Explore further
27/06/2026 3:08 pm
Inbox-centric email security is no longer a complete trust model. Auto-forwarding turns CRMs, ticketing tools, and helpdesks into secondary delivery surfaces that security teams must govern as part of the email attack surface. The old assumption was that catching a malicious message in the mailbox was enough. That assumption breaks once the message has already been copied into a workflow where remediation cannot reach it, so practitioners must think in terms of message path governance, not just message detection.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Which governance model should apply to email flowing into downstream work systems?
A: Use a message-path governance model that treats mailbox routing, shared inboxes, and business apps as one chain. That means defining who owns forwarding rules, who validates threat inspection, and who can prove that a message was evaluated before it reached a user. Without that accountability, remediation stays incomplete.
👉 Read our full editorial: Email auto-forwarding exposes a wider attack surface than the inbox
