New domains being forwarded email insight in the Security & Compliance Center

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

There are valid business reasons to forward email messages to external recipients in specific domains. However, it's suspicious when users in your organization suddenly start forwarding messages to a domain where no one in your organization has ever forwarded messages to (a new domain).

This condition might indicate that the user accounts are compromised. If you suspect the accounts have been compromised, see Responding to a compromised email account.

The New domains being forwarded email insight in the Security & Compliance Center notifies you when users in your organization are forwarding messages to new domains.

This insight appears only when the issue is detected, and it appears on the Forwarding report page.

New domains being forwarded email insight

When you click on the widget, a flyout appears where you can find more details about the forwarded messages, including a link back to the Forwarding report.

Details flyout that appears after clicking on the New domains being forwarded email insight

You can also get to this details page when you select the insight after you click View all in the Top insights & recommendations area on (Reports > Dashboard or https://protection.office.com/insightdashboard).

To prevent automatic message forwarding to external domains, configure a remote domain for some or all external domains. For more information, see Manage remote domains in Exchange Online.

For information about other insights in the Mail flow dashboard, see Mail flow insights in the Security & Compliance Center.