Most email security controls focus on the inbox: detect the threat, remediate it, and move on. But for organizations that automatically route inbound mail into tools like Salesforce, Zendesk, or ServiceNow, that remediation can come too late.

By the time the threat is caught, the message has already been forwarded, and a copy is now sitting in a ticket queue or CRM workflow that the security team can’t touch. The support rep opening the ticket has no indication the email was ever flagged.

Security teams have spent years hardening the inbox, but but critical work now extends beyond it. Decisions are made in Zendesk tickets. Leads get worked in Salesforce. Requests move through ServiceNow. These are the systems employees rely on every day, and they are also places where a malicious message can still cause damage long after the original email was flagged and removed.

Enterprises depend on integrations that move email content into the CRMs, ticketing platforms, and helpdesks where work actually happens. They ingest and surface email content at scale, with no mechanism to evaluate whether a message was ever reviewed for threats.

Attackers are not targeting Salesforce or Zendesk directly. The problem is that a normal phishing or business email compromise (BEC) email can persist after inbox remediation if it has already been forwarded into a downstream system. As we saw in last year’s OAuth-based attacks, a compromise in one connected application can reach data across hundreds of organizations. Once a malicious message makes it into the mail flow, auto-forwarding rules and routing workflows can quietly move that content into the tools employees rely on every day.

The result: BEC, vendor fraud, and phishing that might be caught at the mailbox can still surface inside downstream tools, where end users have no reason or way to know whether that content was ever evaluated for threats.

Abnormal now offers Auto-Forwarding Mail Protection for Microsoft 365, extending protection earlier in the mail flow by intercepting messages before Microsoft 365 applies auto-forwarding rules. Using two Exchange connectors and a mail flow transport rule, with no MX record changes required, Exchange Online routes matching inbound messages to Abnormal for inspection before any forwarding occurs. This ensures emails routed to third-party tools receive the same level of scrutiny as those delivered directly to user inboxes.

Here’s how it works:

• When a message that matches an auto-forwarding path arrives, Microsoft 365 routes it to Abnormal first.

• Abnormal evaluates the message with the same behavioral AI that protects regular email traffic—drawing on more than 45,000 behavioral and contextual signals—before any forwarding occurs.

• If the message is safe, Abnormal returns it to Microsoft 365, which then forwards it to its intended destination without delay.

• If the message is malicious, Abnormal quarantines it before it can reach any downstream system.

All auto-forwarded traffic is visible within the Abnormal platform. Security teams can:

• Use Threat Log to review every malicious email flagged by Abnormal’s detection engine, including those that would have been auto-forwarded downstream.

• Use Search and Respond to investigate messages, release false positives from quarantine, and examine flagged messages using the same workflows they rely on for broader email security.

Admins can further fine-tune coverage in Message Remediation Settings, choosing whether to focus solely on clearly malicious attacks or to extend protection to spam and borderline messages.

Security teams have always been accountable for the inbox. What happens after forwarding has been harder to control. A support specialist opening a ticket in Zendesk or a rep reviewing a lead in Salesforce has no visibility into whether a message was ever evaluated for threats; both operate from trust in the system.

Auto-Forwarding Mail Protection extends that accountability upstream. For the people working inside downstream tools, the change is intentionally invisible: legitimate emails still arrive, tickets still open, cases still populate, and workflows continue as usual. What changes is the security team’s confidence in what those users are seeing, and their ability to investigate, in context, any message that never made it through.

Auto-Forwarding Mail Protection for Microsoft 365 is the first step in expanding pre-delivery protection to the environments enterprises actually use. The same challenge of email paths that execute before post-delivery controls can act exists across platforms and mailbox types. Abnormal is extending this protection to additional surfaces, and the following three coverage areas will be available in the coming months:

Auto-Forwarding Mail Protection for Google Workspace

This applies the same pre-delivery auto-forwarding coverage Abnormal provides for Microsoft 365, intercepting messages before Gmail applies forwarding rules so emails auto-forwarded to third-party tools are scanned upstream first.

Google Groups Collaborative Inbox Protection

Teams rely on Collaborative Inboxes in Google Groups (such as support@, finance@, and security@) to manage some of their most sensitive external communications, but unlike individual user mailboxes, these Group mailboxes have no native API for post-delivery remediation. Pre-delivery protection for Collaborative Inboxes evaluates messages before they reach the Group mailbox and blocks malicious emails upstream, so Group members and the critical workflows that depend on these shared queues stay protected.

Hybrid On-Prem Mailbox Protection for Microsoft 365

Within organizations running hybrid environments where some employees still have Exchange on-premises mailboxes, cloud APIs alone can't reach every inbox in the tenant. Pre-delivery protection extends Abnormal's coverage to on-premises mailboxes within Microsoft 365 hybrid deployments, so existing infrastructure doesn't create a gap in protection.

Together, these expansions bring more email pathways—forwarded mail, collaborative inboxes, and on-premises infrastructure—up to the same protection standard as individual cloud mailboxes.

Ready to see how Abnormal protects the email pathways your business depends on, from the inbox to downstream tools?

Request a personalized demo to see Abnormal Inbound Email Security in action.