The Battleground: 

A Company’s Email Service 

The Presumption: 

Limiting the use or disabling the use of email forwarding for users within the company. 

The Discovery: 

Multiple alarms were coming in showing emails being forwarded to an external recipient. Upon a review of the alarms from an analyst, the amount of data being sent out was abnormally large. The company was notified and contacted the owner of the account to verify if the activity was legitimate. The activity from the account was legitimate. 

Our Solution: 

By having an admin set filter policies on Office365 you can help prevent possible data leaks. Setting the filter policy to either automatic, to allow for internal email forwarding, or setting the policy to off, to prevent all forwarding, is usually the best practice set by other companies 

Lessons Learned:

By restricting external email forwarding you can help prevent sensitive data from being leaked.