Today I got a security alert that one of the users was forwarding any email he received from a certain company to his own mailbox to himself (same mailbox).

Whatever he’s attempting, that’s the stupidest possible way to do it. But what can you do? That’s user antics for ya.