This detection rule identifies instances of users creating forwarding rules to external email addresses within Microsoft Exchange. The rule is critical for monitoring potential data exfiltration and maintaining compliance with organizational policies regarding email forwarding. It leverages historical logging of mailbox settings within Microsoft 365 to ascertain if rules were established which redirect emails to domains outside of the organization. If such forwarding is detected, particularly to known external addresses, the rule is triggered. The rule encompasses various tests that ensure it can handle multiple scenarios, including capturing valid forwarding attempts, as well as distinguishing and ignoring permitted internal forwarding operations. The implementation generates alerts based on activities logged, thus assisting security teams in mitigating risks associated with unauthorized email forwarding.