Skip to main content

CHK-1070 - Mailbox Forwarding Baselinecheck

General

This check performs a one-time baseline check on mailboxes configured to automatically forward all email.

Rationale

While automatic forwarding can be legitimate, it may also indicate security risks or compromised accounts. Attic monitors new mailbox forwarding rules via Sentinel RULE-1023. This baseline check verifies whether any mailboxes were already configured this way before Attic was activated.

Manual instruction

Follow these steps to adjust the setting:

  1. Check for each detected mailbox whether the user themselves configured it to forward emails.
    1. If not: consider the account compromised. Revoke active sessions, disable the account, and investigate potential abuse before re-enabling it.
    2. If the user did configure the forwarding themselves, still assess whether this is appropriate. For example, if personal data is automatically forwarded to an external mailbox, this could constitute a data breach.

More information

  1. https://support.atticsecurity.com/hc/nl/articles/11517587720732-RULE-1023-Mailbox-auto-forwards 

Comments

0 comments

Please sign in to leave a comment.