Find External Email Forwarding rules in Microsoft365 Exchange Online

NOTE: This has been added as a GUI view in the new Modern Exchange Admin Center. https://admin.exchange.microsoft.com/#/reports/autoforwardedmessages

I have experienced users with mailbox rules that sent out all of their important emails to an external email address. This is a common way of silently stealing important data from users.

One example of these malicious inbox rules could be the following:

After the message arrives and….
The message includes specific words in the subject or body ‘invoice’ or ‘payment’ or ‘wire’ or ‘funds’ or ‘remit’ or ‘bank’ or ‘account’ or ‘finance’ or ‘president’ or ‘CEO’ or ‘CFO’ or ‘accountant’ or ‘manager’ or ‘PO’ or ‘purchase’
Do the following…
Forward the message to *****@*****.com as an attachment.

To prevent this, you can run the following code on your tenant via “Exchange Online Powershell”.

I recommend running the following script to check for existing “external forwarding rules”.

It is possible to change the last text “forward the message” in the script to any language you want or check for a completely different kind of rule.

If you have any questions / feedback or would like to correct me on any of the stuff above.
Please use the comment section or contact me directly using the blue button in the bottom right corner.

Leave a Comment