Indiscriminate forwarding of employee emails from inbox to an external address is a serious risk to Pennsylvania College of Technology’s institutional data. Regulatory and compliance bodies require that we do not allow employees to create email forwarding rules that will automatically forward email from their inbox to external recipients, including global settings and specific user-created mailbox rules. This is also prohibited in our Acceptable Use Policy P8-03.
Users are allowed to forward individual emails to external recipients using the “forward” function. In this case, a user must intentionally decide to forward an email and the information it contains. This review of information is the primary difference between forwarding a single email and having an automatic forward of emails without review.
The unintentional ex-filtration of data is not the only danger associated with automatic email forwarding. Threat actors commonly use email forwarding rules to access mailboxes and leak data in business email compromise attacks. An example would be when an actor creates automatic forwarding rules after compromising a user’s account, which is then unnoticed by the affected user.
If you have a legitimate business need to forward email in this manner, please contact ITS for further assistance.
ITS Service Portal