u/No_Adeptness_6716

Twelve of them were pointing to external addresses. Six were sitting on accounts that had been fully disabled during offboarding but the forwarding rules were never cleaned up, so mail to those addresses was still routing out of the tenant the entire time. Most of them turned out to be legitimate rules employees created during remote work and simply forgot about, but the security implication is identical to what an attacker would set up after compromising an account and nobody was monitoring for the pattern at all.

If you have not pulled this report recently, go do it now because this is one of those things that looks completely invisible until you specifically go looking for it.