Managed Sentinel – Alert 139
| Alert ID | MS-A139 |
| Alert Name | Mail forwarding enabled to an external email address |
| Description | This query over Office Activity audit data highlights cases where user mail is being forwarded to an external email address |
| Severity Level | Low |
| Threat Indicator | Data Theft |
| MITRE ATT&CK Tactics | Exfiltration |
| Log sources | Office 365 |
| False Positive | Group policy change affecting multiple users email accounts |
| Recommendations | 1. Review the affected O365 email account and destination email address. 2. Understand if this is a legitimate configuration within organization 3. Review SENT email content to understand if any attachments (confidential data) was sent out of organization. 4. Evaluate if destination email address is on any Threat Intelligence list. 5. Remove forwarder from Office 365 Admin Exchange 6. Reach out to end user and notify the action taken |