Notifications
Clear all
Topic starter
27/06/2026 1:35 pm
TL;DR: Microsoft Defender's posture scoring can miss external mail forwarding rules that quietly copy messages outside the tenant, while Abnormal AI argues that vendor conflict can soften findings about platform defaults and misconfiguration. Independent assessment matters because invisible exposure windows in email systems are still governance failures, not just tooling quirks.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on why mail forwarding rules may not surface in native posture scores
Questions worth separating out
Q: How should security teams govern external mail forwarding rules?
A: Security teams should treat external mail forwarding as an egress control, not just a mailbox preference.
Q: Why can vendor-native posture scores miss real email risk?
A: Vendor-native posture scores can miss or soften risk when the assessment is produced by the same platform whose defaults or configuration gaps are being judged.
Q: What breaks when external forwarding is not reviewed in identity governance?
A: When external forwarding is excluded from identity governance, message access can continue after the original account activity should have ended.
Practitioner guidance
- Audit external forwarding rules across mail tenants Inventory mailbox rules that copy messages outside the organisation and confirm which accounts, groups, or service mailboxes can create them.
- Validate native scores against an outside-in assessment Cross-check platform-generated posture scores with an independent external assessment to see whether hidden forwarding, misconfiguration, or delegation issues are being downweighted.
- Add forwarding rules to access review scope Include message redirection and automatic external copying in recurring access reviews, offboarding checks, and privileged mailbox governance.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How Abnormal's external assessment model evaluates Microsoft and Google environments without relying on native posture scoring
- The specific classes of forwarding-rule findings and authentication gaps the platform says it can surface
- The product and engineering context behind its outside-in assessment approach for email environments
👉 Read Abnormal AI's analysis of hidden mail forwarding risk and posture scoring →
Mail forwarding rules and posture scores: where do platform gaps hide?
Explore further
27/06/2026 2:59 pm
Independent posture scoring is only useful when it can name the platform's uncomfortable truths. A score that softens findings tied to defaults or configuration gaps is not neutral, it is structurally incomplete. In email governance, the issue is whether the control can identify exposure without needing to protect the reputation of the system being assessed. Practitioners should treat independence as an assurance requirement, not a buying preference.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What should teams do when a posture score and an outside-in scan disagree?
A: Teams should treat disagreement as a signal to investigate, not as a reason to trust the higher score. Compare the findings against rule ownership, review history, and data sensitivity, then determine which control view better matches actual exposure. When platform-native scoring conflicts with external assessment, governance should favour the evidence that can be independently verified.
👉 Read our full editorial: Independent posture scoring exposes hidden mail forwarding risk
