Block external forwarding in Exchange Online

External forwarding should always be disabled by default in any tenant.
This feature is most often used by intruders wanting to extract certain type of confidential email from key people in the organization.

One example of these malicious inbox rules could be the following:

After the message arrives and…. The message includes specific words in the subject or body ‘invoice’ or ‘payment’ or ‘wire’ or ‘funds’ or ‘remit’ or ‘bank’ or ‘account’ or ‘finance’ or ‘president’ or ‘CEO’ or ‘CFO’ or ‘accountant’ or ‘manager’ or ‘PO’ or ‘purchase’ Do the following… Forward the message to *****@*****.com as an attachment.

Additional reading: The many ways to block automatic email forwarding in Exchange Online – Microsoft Tech Community

How to configure external forwarding blocking.

We will always use the “Transport rule” method for blocking external auto forwarding, since this option gives us the ability to configure specific messages delivered to users who are blocked by this rule and we can set specific users to be excluded from the rule.

Step 1:

Start by accessing the “Exchange Admin center” and navigate to “Mailflow > Rules

Step 2:

Create a rule with the following parameters. (See screenshot)

Name: Block – Automatic External Forwarding.

Within the “Generate incident report….” you can set specific content to be forwarded to the administrator or helpdesk mailbox.

Step 3:

It’s important that you understand and test the transport rule above. Make sure you have entered the correct parameters.

Save the transport rule.

If you ever want to allow specific users to forward external mail, you can add the users to the “Exception” part of the transport rule.

The exceptions are most commonly used for service accounts, zendesk mail forwarders and such.

If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.

Leave a Comment