The "O365 Suspicious User Email Forwarding" detection rule was designed to proactively identify instances where multiple Office 365 users configure email forwarding rules to the same destination. This can indicate potential security risks, such as unauthorized access or data exfiltration. The detection is accomplished by querying the O365 management activity logs for the 'Set-Mailbox' operation, which reveals mailbox configuration changes. Through a sequence of data extraction and aggregation using the 'spath' and 'stats' commands in Splunk, the analytic identifies cases where more than one user forwards emails to a common email address. This rule helps security teams investigate possible security incidents related to email forwarding, ensuring that legitimate and unauthorized forwarding configurations are distinguished. Although this rule can generate false positives in environments where shared mailboxes or collaboration scenarios exist, it nonetheless acts as a critical checkpoint for maintaining organizational security against data breaches and information exposure.