Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Transport Rule Redirects Email [CHK-1068]

This check identifies Transport Rules in Exchange Online that are set to redirect the recipient of an email.

Rationale

Such rules can be exploited by attackers to exfiltrate data from your Microsoft organization. This could occur if they gain access to a colleague's account or if an internal employee uses this method to leak sensitive data, either consciously or unconsciously.

Fix

An automated fix is available through Attic.

Manual steps:

  1. Open the Exchange admin panel here.
  2. Go to Mail Flow and Rules.
  3. Identify the rule to which the incident refers and determine whether it is desired or undesired.
  4. If the rule is undesired, remove it and conduct a follow-up investigation into the account of the user who created this rule to determine appropriate actions.

If the rule is desired, it can be added to an exceptions list in Attic so that it no longer triggers alarms.

Impact

This fix ensures that all forms of mail forwarding are blocked and/or disabled, aligning with CIS Item 6.2.1 (L1) and E3 Level 1 Profile.

More Information

For more information, visit Microsoft's guide on mail flow rule actions.