I support somewhere around 50 users doing both help desk as well as server administration. Just recently a manager was suspicious that their employee was automatically forwarding all of his (manager's) emails to their (employee's) personal email address. There have been two separate events that raised suspicion and they have no asked me to look into it.
As far as legality goes... in our state is is perfectly legal for an employer to look into any kind of information of an employee. By that I mean the laptop is company property, it should only be used for company purposes, and they have been warned.
The employee is very technically minded. He knows what he is doing and also has several friends that are employed as pen testers, hackers, etc. In other words, he has connections that could help him.
Does anyone know if this is even possible? It feels like a secret rule on the employers computer that is sending all emails bcc to the employee.
Any suggestions?
Yes, it's possible via Outlook inbox rules. If you are in an Exchange environment they still will (or should) be routed through your corporate MTA or at least your internal SMTP relay so you should be able to easily confirm this from there. If your employees send directly to your ISP's SMTP relay then it'll be a bit more difficult to confirm. You'd have to go to the firewall logs if you have one set up.
If your switches support port mirroring, you could always mirror both the manager's port and the exchange server, then wireshark the traffic on it (filter to smtp only and set it to save to file when it captures XX megabytes).
That should let you determine if emails are being copyed from anywhere.
Also I would ensure the manager's pc has setting to ask for password when resuming from screensaver and have a sensibly short period until the screensaver kicks in (and also advise him to lock his workstation when he leaves it)- it's surprising how people can use very simple "technology" sometimes.