Track which mailboxes have forwarding enabled, confirm the destination is approved, and investigate exceptions that route content outside expected channels. Forwarding is a confidentiality control point because it can move mail without changing the user’s mailbox access itself. That makes review of forwarding rules part of access governance, not just mail administration.
Why This Matters for Security Teams
Mailbox forwarding is easy to underestimate because it does not always look like a permission change. In Exchange Online, a mailbox can continue to appear compliant while messages are silently routed to another destination, including an external account. That makes forwarding a confidentiality control point, not just an email admin setting. NHI Management Group’s Top 10 NHI Issues treats uncontrolled credentialed pathways as a recurring governance failure, and the same logic applies to mail flow exceptions.
The practical risk is that forwarding can preserve normal user experience while bypassing expected inspection, retention, and incident response workflows. Attackers who gain mailbox access often set forwarding rules to exfiltrate sensitive mail without repeatedly logging in, while insiders may route mail to personal or shadow accounts for convenience. Current guidance from NIST Cybersecurity Framework 2.0 supports continuous monitoring of access paths, not just account status. In practice, many security teams discover mailbox forwarding only after a complaint, a fraud event, or a missing-message investigation has already exposed the gap.
How It Works in Practice
Controlling mailbox forwarding in Exchange Online starts with inventory and policy enforcement. Security teams should track which mailboxes have forwarding enabled, whether forwarding is set at the mailbox level or through inbox rules, and whether the destination is internal or external. Approved destinations should be explicit, documented, and tied to a business reason. Unapproved forwarding should be disabled or escalated for review, especially where it sends content outside tenant boundaries.
That operational model aligns with the broader control themes in Ultimate Guide to NHIs — Key Challenges and Risks, because forwarding creates an alternate delivery path that can outlive the user’s original access intent. A strong review process typically includes:
- enumerating all forwarding settings across mailboxes and shared mailboxes
- checking whether forwarding targets are sanctioned internal addresses only
- disabling automatic forwarding to external domains unless there is a formal exception
- reviewing inbox rules that copy, redirect, or silently move messages
- logging and alerting on changes to forwarding configuration
- revalidating exceptions on a fixed schedule as part of access governance
For governance teams, the key distinction is between mailbox access and mail egress. A user may still have legitimate mailbox rights while forwarding creates an uncontrolled disclosure channel, so reviews should be tied to data handling risk rather than just identity lifecycle events. The OWASP NHI Top 10 is also useful here because it frames credential and access misuse as a control-plane problem, not only an authentication problem. These controls tend to break down in large tenants with legacy mail flow rules, delegated admin sprawl, or mergers where forwarding exceptions are inherited faster than they are reviewed.
Common Variations and Edge Cases
Tighter forwarding controls often increase administrative overhead, requiring organisations to balance confidentiality gain against support friction and legitimate business routing needs. There is no universal standard for this yet, but best practice is evolving toward least-privilege forwarding, explicit exception handling, and routine attestation. Some organisations allow forwarding only to managed internal mailboxes, while others permit selective external routing for legal, mergers-and-acquisitions, or service desk continuity use cases.
Edge cases matter. Shared mailboxes may legitimately forward to ticketing systems, but that should be documented and monitored. Executive assistants, temporary staff, and outsourced support teams can also create forwarding patterns that look suspicious but are operationally valid. Security teams should distinguish between mailbox forwarding, transport rules, and client-side inbox rules because each can create a different risk profile and detection path. The Ultimate Guide to NHIs — Standards is a useful reference point when defining review discipline across systems. The DeepSeek breach is a reminder that exposed data paths often begin with small governance misses, not dramatic technical failures.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Mailbox forwarding is an alternate access path that needs least-privilege review. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Forwarding can redirect sensitive content through uncontrolled identity-linked channels. |
| NIST AI RMF | AI RMF governance principles fit continuous review of uncontrolled data-routing paths. |
Review forwarding as an access path and revoke any destination that is not explicitly approved.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
