This detection rule identifies instances where email forwarding has been enabled on mailboxes within an Office 365 (O365) environment, specifically monitoring the Set-Mailbox operation in the o365_management_activity logs. The rule looks for changes to the parameters ForwardingAddress or ForwardingSmtpAddress. Unauthorized email forwarding poses significant risks, including potential data exfiltration and unauthorized access to sensitive information. Attackers can leverage this method to intercept and redirect emails, leading to compromised communications and data breaches. Therefore, monitoring mailbox configurations for unexpected forwarding enables organizations to respond swiftly to potential security incidents.