Skip to main content

CHK-1071 - Mailbox rules baseline check

General

This check performs a one-time baseline check on mailboxes with active automatic rules.

Rationale

While mailbox rules can be legitimate, they may also indicate security risks or compromised accounts. Attic monitors new rules via Sentinel RULE-1020. This baseline check verifies whether any rules already existed before Attic was activated.

Manual instruction

Follow these steps to adjust the setting:

  1. Check for each detected mailbox rule whether the user created it themselves.
    1. If not: consider the account compromised. Revoke active sessions, disable the account, and investigate potential abuse before re-enabling it.
    2. If the user did create the mailbox rule, still assess whether it is appropriate. For example, if personal data is automatically forwarded to an external mailbox, this could constitute a data breach.

More information

  1. https://support.atticsecurity.com/hc/en-us/articles/11457066751772-RULE-1020-Detect-email-forwarding-rules 

Comments

0 comments

Please sign in to leave a comment.