Mailbox Forwarding Baseline Check [CHK-1070]
This check performs a baseline assessment of mailboxes configured to automatically forward all emails.
Rationale
Automatic forwarding can be a legitimate function, but it may also indicate potential security risks or compromised accounts. This baseline check verifies whether any mailboxes were already configured to forward emails before the security monitoring was activated.
Fix
An automated fix is available through Attic.
Manual steps:
- Review each detected mailbox to determine whether the user themselves configured it to forward emails.
- If not, consider the account compromised. Revoke active sessions, disable the account, and investigate potential abuse before re-enabling it.
- If the user did configure the forwarding themselves, assess whether this is appropriate. For example, if personal data is automatically forwarded to an external mailbox, this could constitute a data breach.
- Contact mailbox owners to verify they are aware of and have authorized these forwards.
- Remove any unauthorized forwarding rules immediately.
- If unauthorized forwards are found, initiate your incident response process.
Impact
This check helps to identify potential security risks or compromised accounts by detecting existing email forwarding rules. It allows for early intervention and mitigation of potential data breaches.