Ensure all forms of mail forwarding are blocked and/or disabled
Ensure all forms of mail forwarding are blocked and/or disabled
Amir Moiz Gulamaliwala
Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:
- Outlook forwarding using inbox rules
- Outlook forwarding configured using OOF rule
- OWA forwarding setting (ForwardingSmtpAddress)
- Forwarding set by the admin using EAC (ForwardingAddress)
- Forwarding using Power Automate / Flow
NOTE:
- In this control, remediation is carried out in two stages – Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically.
- Any exclusions should be implemented based on organizational policy.
Reasoning:
Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as an secondary channel to exfiltrate sensitive data.
Implementation status
100% of users are affected by policies that are configured less securely than is recommended
User impact
Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.
Prerequisites
You should have Microsoft Defender for Office 365 P1.
Steps
NOTE: In this control, remediation is carried out in two stages – Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:
STEP 1: Transport rules
To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:
- Select Exchange to open the Exchange admin center.
- Select Mail Flow then Rules.
- For each rule that redirects email to external domains, select the rule and click the ‘Delete’ icon.
To perform remediation you may also use the Exchange Online PowerShell Module:
- Connect to Exchange Online user Connect-ExchangeOnline.
- Run the following PowerShell command: Remove-TransportRule {RuleName}
- To verify this worked you may re-run the audit command as follows:
Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft Name,RedirectMessageTo
STEP 2: Anti-spam outbound policy
Configure an anti-spam outbound policy:
- Navigate to Microsoft 365 Defender https://security.microsoft.com/
- Expand E-mail & collaboration then select Policies & rules.
- Select Threat policies > Anti-spam.
- Select Anti-spam outbound policy (default)
- Click Edit protection settings
- Set Automatic forwarding rules dropdown to Off – Forwarding is disabled and click Save
- Repeat steps 4-6 for any additional higher priority, custom policies.
