External forwarding should always be disabled by default in any tenant, as it is commonly used by intruders to extract confidential emails from key individuals within the organization. Disabling this feature can help prevent unauthorized access to sensitive information and protect your business from potential security threats.
One example of these malicious inbox rules could be the following:
After the message arrives and…. The message includes specific words in the subject or body ‘invoice’ or ‘payment’ or ‘wire’ or ‘funds’ or ‘remit’ or ‘bank’ or ‘account’ or ‘finance’ or ‘president’ or ‘CEO’ or ‘CFO’ or ‘accountant’ or ‘manager’ or ‘PO’ or ‘purchase’ Do the following… Forward the message to *****@*****.com as an attachment. |
Additional reading: The many ways to block automatic email forwarding in Exchange Online – Microsoft Tech Community
How to configure external forwarding blocking.
We will always use the “Transport rule” method for blocking external auto forwarding, since this option gives us the ability to configure specific messages delivered to users who are blocked by this rule and we can set specific users to be excluded from the rule.
Step 1:
Start by accessing the “Exchange Admin center” and navigate to “Mailflow > Rules“
Step 2:
Create a rule with the following parameters. (See screenshot)
Name: Block – Automatic External Forwarding.
Within the “Generate incident report….” you can set specific content to be forwarded to the administrator or helpdesk mailbox.
Step 3:
It’s important that you understand and test the transport rule above. Make sure you have entered the correct parameters.
Save the transport rule.
If you ever want to allow specific users to forward external mail, you can add the users to the “Exception” part of the transport rule.
The exceptions are most commonly used for service accounts, zendesk mail forwarders and such.
If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.