Suspicious Mailbox Rules Detection [CHK-1071]
This check performs a baseline assessment of mailboxes with active automatic rules, identifying potentially dangerous rules that could lead to data leakage.
Rationale
Mailbox rules can be both legitimate and indicative of security risks or compromised accounts. Specifically, rules that automatically forward or redirect emails to external addresses may signal data breaches or insider threats.
Fix
An automated fix is available through Attic.
Manual steps:
- Review each detected mailbox rule to determine if the user created it themselves.
- If not, consider the account compromised. Revoke active sessions, disable the account, and investigate potential abuse before re-enabling it.
- If the user did create the mailbox rule, assess whether it is appropriate. For example, if personal data is automatically forwarded to an external mailbox, this could constitute a data breach.
- Pay special attention to rules forwarding sensitive keywords.
- Disable any unauthorized forwarding rules.
- Interview affected users about these rules.
- Check for signs of account compromise.
- Consider blocking external forwarding rules at the organization level.
Impact
Addressing suspicious mailbox rules promptly can prevent data leakage and protect your organization from potential security risks or compromised accounts.