New controls available to block automatic email forwarding!

One of the most common methods for an adversary attempting to keep a foothold on your Office 365 tenant (if they get access) is to setup some email forwarding. Doing this means that even if they are kicked out of their target account/s, they still have data flowing to an external mailbox, and this data can be used for reconnaissance and exfiltration of data.

It’s really simple to set forwarding through Powershell (using Set-Mailbox, even the end user can do this!) or through the graphical interface. Until now (July 2020) it was actually a bit overcomplicated to stop autoforwarding from happening, involving a few different configuration options, but thankfully the product group at Microsoft have simplified this by adding a single option to rule them all.

This wonderful new option is located in the Outbound spam filter policy at https://protection.office.com

It can also be managed using Powershell:

Set-HostedOutboundSpamFilterPolicy -Identity 'Default' -AutoForwardingMode Off

Options for this cmdlet are ‘Off’, ‘On’, and ‘Automatic’. On and off are quite clear but the Automatic option allows Microsoft to control the setting, and this is to help with the rollout. All tenants will be set to Automatic mode for starters, and then this automatic setting will turn forwarding on or off based on whether any auto forwarding was detected in your environment recently.

This feature is currently available to my Targeted Release tenant but may not be fully rolled out until August 2020. Initially it may not actually block forwarding (until the rollout is complete) so it’s worth keeping your existing policies in place for the moment.

If you don’t want to block forwarding but want to keep an eye on it’s use, I’d recommend you review this article about the Forwarding Report capability in the Security & Compliance portal.