New controls available to block automatic email forwarding!

One of the most common methods for an adversary attempting to keep a foothold on your Office 365 tenant (if they get access) is to setup some email forwarding. Doing this means that even if they are kicked out of their target account/s, they still have data flowing to an external mailbox, and this data can be used for reconnaissance and exfiltration of data.

It’s really simple to set forwarding through Powershell (using Set-Mailbox, even the end user can do this!) or through the graphical interface. Until now (July 2020) it was actually a bit overcomplicated to stop autoforwarding from happening, involving a few different configuration options, but thankfully the product group at Microsoft have simplified this by adding a single option to rule them all.

This wonderful new option is located in the Outbound spam filter policy at https://protection.office.com

It can also be managed using Powershell:

Set-HostedOutboundSpamFilterPolicy -Identity 'Default' -AutoForwardingMode Off

Options for this cmdlet are ‘Off’, ‘On’, and ‘Automatic’. On and off are quite clear but the Automatic option allows Microsoft to control the setting, and this is to help with the rollout. All tenants will be set to Automatic mode for starters, and then this automatic setting will turn forwarding on or off based on whether any auto forwarding was detected in your environment recently.

This feature is currently available to my Targeted Release tenant but may not be fully rolled out until August 2020. Initially it may not actually block forwarding (until the rollout is complete) so it’s worth keeping your existing policies in place for the moment.

If you don’t want to block forwarding but want to keep an eye on it’s use, I’d recommend you review this article about the Forwarding Report capability in the Security & Compliance portal.

2 thoughts on “New controls available to block automatic email forwarding!

  1. Jose Arias says:

    (Optional) Expand Automatic Forwarding section to configure controls over how automatic forwarding by users is controlled.

    Note

    These settings only apply to cloud-based mailboxes.

    Automatic Forwarding

    Select one of the options to control how automatic forwarding is handled.

    Automatic: Default setting that allows the system to control automatic forwarding with automatic forwarding disabled by default.
    On: External forwarding is enabled within the policy without restriction.
    Off: External forwarding is disabled and will be blocked

    https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy?view=o365-worldwide

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s