NOTE: This has been added as a GUI view in the new Modern Exchange Admin Center. https://admin.exchange.microsoft.com/#/reports/autoforwardedmessages
I have encountered instances where mailbox rules were used to silently steal important data from users by forwarding their important emails to an external address. This is a common method of data theft, and it is important to be aware of it and take steps to prevent it.
One example of these malicious inbox rules could be the following:
After the message arrives and….
The message includes specific words in the subject or body ‘invoice’ or ‘payment’ or ‘wire’ or ‘funds’ or ‘remit’ or ‘bank’ or ‘account’ or ‘finance’ or ‘president’ or ‘CEO’ or ‘CFO’ or ‘accountant’ or ‘manager’ or ‘PO’ or ‘purchase’
Do the following…
Forward the message to *****@*****.com as an attachment.
To prevent this, you can run the following code on your tenant via “Exchange Online Powershell”.
1 |
Set-RemoteDomain Default -AutoForwardEnabled $false |
I recommend running the following script to check for existing “external forwarding rules”.
1 2 3 4 5 6 |
$Mailboxes = get-mailbox -resultsize unlimited foreach ($mailbox in $Mailboxes) { Write-Host -ForegroundColor green "Getting rules from $($mailbox.DisplayName)..." get-inboxrule -mailbox "$mailbox" -WarningAction silentlyContinue |Select-Object name,description -ExpandProperty Description | Where-Object {($_.Description -like '*forward the message*')} } |
It is possible to change the last text “forward the message” in the script to any language you want or check for a completely different kind of rule.
If you have any questions / feedback or would like to correct me on any of the stuff above.
Please use the comment section or contact me directly using the blue button in the bottom right corner.