This detection rule focuses on identifying potentially malicious activity within Office 365 environments where an admin sets up email forwarding rules across multiple mailboxes directing to the same external destination. This behavior can indicate data exfiltration or unauthorized access attempts if an admin's account is compromised. The rule utilizes the `o365_management_activity` dataset, specifically querying for Set-Mailbox operations to uncover any situations where the `ForwardingAddress` has been configured. It generates statistics on the number of unique mailboxes (`count_src_user`) that have been configured to forward emails to the same address. If the count exceeds one, indicating multiple mailboxes are forwarding to the same destination, it triggers an alert, highlighting the risk of phishing or data leaks. Given its deprecated status, users should transition to the updated rule, `O365 Mailbox Email Forwarding Enabled`.