One of the most common methods for an adversary attempting to keep a foothold on your Office 365 tenant (if they get access) is to setup some email forwarding. Doing this means that even if they are kicked out of their target account/s, they still have data flowing to an external mailbox, and this data can be used for reconnaissance and exfiltration of data.
It’s really simple to set forwarding through Powershell (using Set-Mailbox, even the end user can do this!) or through the graphical interface. Until now (July 2020) it was actually a bit overcomplicated to stop autoforwarding from happening, involving a few different configuration options, but thankfully the product group at Microsoft have simplified this by adding a single option to rule them all.
This wonderful new option is located in the Outbound spam filter policy at https://protection.office.com

It can also be managed using Powershell:
Set-HostedOutboundSpamFilterPolicy -Identity 'Default' -AutoForwardingMode Off
Options for this cmdlet are ‘Off’, ‘On’, and ‘Automatic’. On and off are quite clear but the Automatic option allows Microsoft to control the setting, and this is to help with the rollout. All tenants will be set to Automatic mode for starters, and then this automatic setting will turn forwarding on or off based on whether any auto forwarding was detected in your environment recently.
This feature is currently available to my Targeted Release tenant but may not be fully rolled out until August 2020. Initially it may not actually block forwarding (until the rollout is complete) so it’s worth keeping your existing policies in place for the moment.
If you don’t want to block forwarding but want to keep an eye on it’s use, I’d recommend you review this article about the Forwarding Report capability in the Security & Compliance portal.
(Optional) Expand Automatic Forwarding section to configure controls over how automatic forwarding by users is controlled.
Note
These settings only apply to cloud-based mailboxes.
Automatic Forwarding
Select one of the options to control how automatic forwarding is handled.
Automatic: Default setting that allows the system to control automatic forwarding with automatic forwarding disabled by default.
On: External forwarding is enabled within the policy without restriction.
Off: External forwarding is disabled and will be blocked
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy?view=o365-worldwide
LikeLike
Thanks!
LikeLike