The analytic detects the creation of new email forwarding rules in an Office 365 environment. It specifically monitors the 'UpdateInboxRules' operation within Office 365 management activity events to identify forwarding actions. By examining the properties of operations, such as 'ForwardToRecipientsAction', 'ForwardAsAttachmentToRecipientsAction', and 'RedirectToRecipientsAction', the detection rule determines if new forwarding rules are established that direct emails to external recipients. These modifications are crucial to monitor as they could signal unauthorized email redirection, posing a risk of data exfiltration and potential data breaches. This detection emphasizes the need for vigilance regarding the management of email rules to avert sensitive information from being misappropriated.