Skip to content

Commit 95d130d

Browse files
authored
Document Audit-NeverSucceedingMailForwardingRules script
Added documentation for the Audit-NeverSucceedingMailForwardingRules.ps1 script, detailing its purpose, usage, and checks performed.
1 parent f9ed713 commit 95d130d

1 file changed

Lines changed: 25 additions & 0 deletions

File tree

README.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -309,6 +309,31 @@ Will check Web app for things like:
309309
Use like so:
310310
`.\Inspect-AzWebAppSecurity-Consolidated.ps1 -SubscriptionId xxx -ResourceGroup "yyy" -AppName "zzz" `
311311

312+
---
313+
### `Audit-NeverSucceedingMailForwardingRules.ps1`
314+
315+
Audits Exchange Online mailbox forwarding and Inbox rules for deterministic “will not succeed” or cleanup-worthy conditions.
316+
317+
This script checks user and shared mailboxes for Exchange Online mailbox-level forwarding and Inbox rules that are stale, disabled, expired, or reference recipients that no longer resolve. It is intended to produce CSV evidence for mailbox rule cleanup, Secure Score remediation, and Exchange hygiene user stories.
318+
319+
It checks for things like:
320+
321+
- Mailbox-level forwarding to unresolved recipients
322+
- Inbox rules that forward, redirect, or forward as attachment to unresolved recipients
323+
- Rules pointing to soft-deleted, legacyDN, GUID, or missing Exchange recipients
324+
- Expired Inbox rule date conditions that should no longer match future mail
325+
- Disabled Inbox rules, when `-IncludeDisabledRules` is used
326+
- External forwarding that would be blocked by the tenant outbound forwarding policy, when `-IncludePolicyBlockedExternalForwarding` is used
327+
- Inbox rule warning messages, when `-IncludeReviewWarnings` is used
328+
329+
Useful for identifying stale mailbox rules, broken forwarding logic, and forwarding-related exfiltration risk. Microsoft documents that Inbox rules can forward or redirect mailbox messages, and Microsoft also warns that automatic forwarding can be abused after account compromise for data disclosure/exfiltration. 【1-6b41f4】【2-81277f】
330+
331+
Use like so:
332+
333+
```powershell
334+
.\Audit-NeverSucceedingMailForwardingRules.ps1 -OutputDirectory . -IncludeReviewWarnings
335+
336+
312337
## ── 📂 Section: On-Prem Active Directory ──
313338
---
314339
### `ad_object_permissions3.ps1`

0 commit comments

Comments
 (0)