%3CLINGO-SUB%20id%3D%22lingo-sub-2077447%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077447%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20to%20see%20thi%20new%20feature%20implementation%20with%20New%20Exchange%20Admin%20center%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20for%20more%20updates%20in%20future.%20Keep%20up%20the%20hard%20work%20%3Athumbs_up%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2077739%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077739%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20one%20Arindam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2077907%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2077907%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wonder%20if%20this%20change%20in%20any%20way%20part%20of%20a%20Message%20Center%20announcement%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2078937%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2078937%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20a%206th%20way%20to%20set%20up%20automatic%20forwarding%20which%20is%20currently%20well%20hidden%20and%20cannot%20be%20interrogated%20via%20the%20Exchange%20Admin%20Center%20or%20PowerShell%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Outlook%20client%2C%20go%20to%26nbsp%3BFile%20%2F%20Automatic%20Replies%20(Out%20of%20Office)%20%2F%20Rules...%20%2F%20Add%20Rule...%20%2F%20Forward%20%2F%20To%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThis%20is%20actually%20a%20security%20hole%20as%20I%20believe%20if%20a%20hacker%20sets%20up%20forwarding%20here%2C%20it%20does%20not%20trigger%20the%20normal%20'mail%20forwarding'%20alerts'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20could%20you%20mention%20this%20in%20the%20first%20few%20bullet%20points%20and%20document%20whether%20it%20is%20blocked%20by%20the%20above%20methods%20(Remote%20Domain%20%2F%20Transport%20Rule%20%2F%20Outbound%20spam%20filter%20policy)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20also%20an%20outstanding%20UserVoice%20request%20to%20allow%20administrators%20to%20audit%20this%20setting%20via%20Exchange%20Admin%20Center%20and%20PowerShell.%20At%20present%20this%20seems%20to%20be%20a%20security%20blind%20spot%20in%20Office%20365%20as%20an%20administrator%20cannot%20check%20the%20status%20of%20this%20setting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20attention%20that%20can%20be%20drawn%20to%20this%20outstanding%20issue%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fmsonline%2Fen-US%2F642d571f-2f1a-4fc4-bb84-5dd86df7dee6%2Foutlook-automatic-replies-forwarding-rule-where-does-it-live-and-how-do-i-find-it-with-powershell%3Fforum%3Donlineservicesexchange%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fmsonline%2Fen-US%2F642d571f-2f1a-4fc4-bb84-5dd86df7dee6%2Foutlook-automatic-replies-forwarding-rule-where-does-it-live-and-how-do-i-find-it-with-powershell%3Fforum%3Donlineservicesexchange%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F273493-office-365-admin%2Fsuggestions%2F35353714-use-powershell-to-manage-out-of-office-rules-for-e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F273493-office-365-admin%2Fsuggestions%2F35353714-use-powershell-to-manage-out-of-office-rules-for-e%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2078980%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2078980%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3842%22%20target%3D%22_blank%22%3E%40Thomas%20Stensitzki%3C%2FA%3E%26nbsp%3B-%20I%20am%20assuming%20that%20you%20are%20referring%20to%20the%20Outbound%20spam%20filter%20policy%20change%3F%20If%20so%20-%20message%20center%20posts%20on%20that%20started%20back%20in%20July%202020...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2079429%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2079429%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E.%20It%20would%20be%20helpful%20if%20the%20corresponding%20message%20center%20ID%20or%20a%20roadmap%20ID%20would%20be%20linked%20in%20this%20or%20future%20posts.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20the%20different%20ways%20of%20blocking%2Fdisallowing%20external%20forwarding%2C%20it%20would%20be%20interesting%2C%20if%20any%20or%20all%20of%20these%20options%20are%20analyzed%20by%20security%20and%20compliance%20score.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2079788%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2079788%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392293%22%20target%3D%22_blank%22%3E%40ChrisAtMaf%3C%2FA%3E%26nbsp%3B-%20we%20have%20now%20added%20this%3B%20thanks!%20To%20be%20clear%20-%20this%20only%20works%20while%20OOF%20is%20turned%20on%20(and%20that%20is%20definitely%20visible%20to%20end%20users).%20Good%20call!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2079768%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2079768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392293%22%20target%3D%22_blank%22%3E%40ChrisAtMaf%3C%2FA%3E%26nbsp%3BThanks%20for%20pointing%20that%20out.%20We%20are%20adding%20about%20forwarding%20configured%20through%20OOF%20template%20and%20the%20expected%20behavior%20of%20various%20blocking%20method%20when%20Automatic%20Forward%20is%20configured%20from%20OOF%20template.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2082867%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2082867%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20table%20above%20that%20says%20Transport%20rule%20blocks%20Outlook%20Rules%20is%20incomplete%20because%20you%20can%20create%20an%20Outlook%20Rule%20that%20uses%20the%20%22Redirect%22%20message%20and%20that%20will%20bypass%20the%20transport%20rule%20block.%20In%20our%20testing%2C%20only%20the%20Remote%20Domain%20option%20will%20block%20the%20Outlook%20Rule%20that%20uses%20the%20Redirect%20method.%20This%20redirect%20method%20is%20also%20not%20blocked%20with%20the%20new%20%3CSPAN%3E%E2%80%9CAutomatic%20system-controlled%E2%80%9D%20control.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2082887%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2082887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3B-%20Hi%20Joe%2C%20this%20blog%20is%20mainly%20for%20Automatic%20Forward%20Rule%2C%20that's%20why%20we%20mentioned%20%22Block%20%3CSTRONG%3EOutlook%20forwarding%3C%2FSTRONG%3E%20using%20inbox%20rules%22%20in%20the%20table%20to%20make%20it%20clear.%20By%20the%20way%20%22Redirect%20rule%22%20can%20be%20blocked%20by%20the%26nbsp%3B%26nbsp%3BOutbound%20spam%20filter%20policy%20as%20well%20based%20on%20my%20earlier%20testing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2086727%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2086727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BHey%2C%20appreciate%20that%20-%20good%20to%20know%20the%20article%20is%20comprehensive.%20Re%20user%20visibility%2C%20that's%20right%20-%20but%20if%20an%20account%20gets%20hacked%20in%20the%20mean%20time%2C%20there's%20currently%20no%20visibility%20for%20an%20administrator%20-%20nor%20can%20it%20be%20administratively%20disabled%20without%20resetting%20the%20user's%20password%20as%20far%20as%20I%20am%20aware.%20I%20don't%20think%20the%20Security%20%26amp%3B%20Compliance%20'Forwarding%20report'%20(%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Freportv2%3Fid%3DMailFlowForwarding%26amp%3Bpivot%3DName%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Freportv2%3Fid%3DMailFlowForwarding%26amp%3Bpivot%3DName%3C%2FA%3E)%2C%20for%20example%2C%20reports%20it.%20For%20something%20that%20allows%20hackers%20to%20exfiltrate%20as%20much%20mailbox%20data%20as%20they%20like%20once%20they've%20hacked%20the%20account%20-%20that's%20a%20big%20blind%20spot%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2087143%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2087143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392293%22%20target%3D%22_blank%22%3E%40ChrisAtMaf%3C%2FA%3E%26nbsp%3B%20-%20actually%2C%20administrator%20%3CEM%3ECAN%3C%2FEM%3E%20modify%20user's%20OOF%20message%20without%20resetting%20the%20user%20password.%20It's%20been%20a%20few%20years%20that%20the%20functionality%20has%20been%20in%20Microsoft%20365%20Admin%20Center%20(Users%20%26gt%3B%20Active%20users%20%26gt%3B%20click%20on%20the%20user%20that%20has%20an%20Exchange%20license%20%26gt%3B%20Mail%20tab%20%26gt%3B%20Automatic%20replies).%3C%2FP%3E%0A%3CP%3EThat%20being%20said%20-%20you%20first%20have%20to%20know%20that%20this%20is%20turned%20on%20and%20I%20need%20to%20check%20if%20the%20Forwarding%20report%20calls%20this%20out%20(I%20would%20be%20surprised%20if%20it%20does%20not%2C%20but%20I%20will%20check).%3C%2FP%3E%0A%3CP%3EAlso%20note%20that%20users%20themselves%20will%20get%20a%20notification%20when%20they%20launch%20a%20client%20that%20their%20OOF%20is%20turned%20on.%20Still%20does%20not%20address%20what%20you%20mean%20exactly%2C%20but%20it%20is%20something%20that%20users%20will%20be%20aware%20of%2C%20if%20enabled.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2087568%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2087568%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20are%20the%20options%20for%20Exchange%20Server%202016%2F2019%20on%20premises%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2087595%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2087595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234813%22%20target%3D%22_blank%22%3E%40IT-Engineer%3C%2FA%3E%26nbsp%3B-%20apart%20from%26nbsp%3Bforward%20control%20using%20Outbound%20spam%20filter%20policy%2C%20other%20options%20are%20available%20to%20regulate%20External%20Autoforwarding%26nbsp%3B%3CSPAN%3Efor%20Exchange%20Server%202016%2F2019%20on%20premises%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2087859%22%20slang%3D%22en-US%22%3ERe%3A%20All%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2087859%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392293%22%20target%3D%22_blank%22%3E%40ChrisAtMaf%3C%2FA%3E%26nbsp%3B-%20Also%2C%20the%26nbsp%3B%3CSPAN%3ESecurity%20%26amp%3B%20Compliance%20'Forwarding%20report'%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Freportv2%3Fid%3DMailFlowForwarding%26amp%3Bpivot%3DName%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Freportv2%3Fid%3DMailFlowForwarding%26amp%3Bpivot%3DName%3C%2FA%3E%3CSPAN%3E)%2C%20does%20show%20the%20Forwarding%20configured%20from%20OOF%20templet.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2074888%22%20slang%3D%22en-US%22%3EAll%20you%20need%20to%20know%20about%20automatic%20email%20forwarding%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2074888%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20realize%20that%20many%20customers%20have%20genuine%20business%20requirements%20to%20configure%20automatic%20email%20forwarding.%20On%20the%20other%20hand%2C%20email%20forwarding%20may%20lead%20to%20data%20leakage.%20For%20example%2C%20if%20we%20have%20a%20compromised%20account%2C%20the%20attacker%20might%20create%20a%20forwarding%20rule%20for%20a%20particular%20mailbox%2C%20and%20the%20user%20might%20be%20unaware%20that%20their%20mail%20is%20being%20forwarded.%20This%20is%20a%20very%20common%20tactic%20used%20when%20accounts%20are%20compromised.%3C%2FP%3E%0A%3CP%3EIt%20is%20therefore%20important%20for%20administrators%20to%20know%20all%20mailboxes%20that%20have%20forwarding%20enabled%20and%20where%20the%20mail%20is%20been%20forwarded%20to.%20We%20have%20various%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fmfi-auto-forwarded-messages-report%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Einsights%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Falert-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ealerts%3C%2FA%3E%20that%20help%20administrators%20monitor%20such%20activities%2C%20but%20prevention%20is%20always%20better%20than%20the%20cure.%20In%20this%20blog%20post%2C%20we%20thought%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fthe-many-ways-to-block-automatic-email-forwarding-in-exchange%2Fba-p%2F607579%22%20target%3D%22_blank%22%3Erevisit%3C%2FA%3E%20(and%20update)%20various%20auto%20forward%20controls%2C%20how%20they%20work%20together%20and%20how%20they%20can%20help%20you%20achieve%20a%20requirement%20of%20allowing%20automatic%20forwarding%20for%20users%20who%20%3CEM%3Ereally%3C%2FEM%3E%20need%20this%20feature.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--550999394%22%20id%3D%22toc-hId--550999394%22%3EVarious%20ways%20to%20set%20up%20forwarding%3C%2FH2%3E%0A%3CP%3EBefore%20discussing%20how%20to%20control%20automatic%20forwarding%2C%20let%E2%80%99s%20review%20a%20few%20different%20ways%20in%20which%20automatic%20forwarding%20can%20be%20setup%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EA%20forwarding%20rule%20can%20be%20setup%20within%20the%20Rules%20wizard%20in%20Outlook%20on%20the%20desktop.%20User%20can%20set%20this%20Automatic%20forwarding%20from%20Outlook%20%26gt%3B%20File%20%26gt%3B%20Manage%20Rules%20and%20Alerts.%20Using%20Outlook%20on%20the%20web%2C%20this%20can%20be%20done%20using%20Inbox%20rules.%3C%2FLI%3E%0A%3CLI%3EUser%20can%20also%20configure%20automatic%20forwarding%20while%20creating%20Out%20of%20Office%20rule%20in%26nbsp%3BOutlook%20on%20the%20desktop.%20File%20%26gt%3B%20Automatic%20Replies%20(Out%20of%20Office)%20%26gt%3B%20Rules%20%26gt%3B%20Add%20Rule%20%26gt%3B%20Forward%20To%20option.%20Note%20that%20although%20OOF%20replies%20are%20sent%20only%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Femail-delivery%2Funderstand-troubleshoot-oof-replies%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eonce%20per%20sender%3C%2FA%3E%2C%20this%20rule%20will%20forward%20emails%20for%20every%20message%20as%20long%20as%20OOF%20is%20enabled.%3C%2FLI%3E%0A%3CLI%3EUsing%20Outlook%20on%20the%20web%20(OWA)%20the%20user%20can%20also%20set%20the%20%3CSTRONG%3EForwardingSmtpAddress%3C%2FSTRONG%3E%20parameter%20on%20the%20mailbox.%20This%20option%20is%20available%20via%20Settings%20%26gt%3B%20Mail%20%26gt%3B%20Forwarding.%3C%2FLI%3E%0A%3CLI%3EUsers%20can%20also%20set%20auto%20forward%20using%20Power%20Automate%20(used%20to%20be%20called%20Microsoft%20Flow).%3C%2FLI%3E%0A%3CLI%3EAdministrators%20can%20configure%20forwarding%20from%20the%20properties%20of%20the%20mailbox%20from%20Exchange%20Admin%20Center.%20This%20option%20is%20available%20under%20%E2%80%9CManage%20Mail%20flow%20settings%E2%80%9D%20in%20classic%20EAC%2C%20or%20user%20properties%20in%20the%20preview%20version%20of%20EAC.%20Configuring%20automatic%20forwarding%20from%20the%20properties%20of%20the%20mailbox%20will%20populate%20the%20%3CSTRONG%3EForwardingAddress%3C%2FSTRONG%3E%20parameter%20on%20the%20mailbox.%3C%2FLI%3E%0A%3CLI%3EAdministrators%20can%20also%20configure%20forwarding%20from%20Microsoft%20365%20Admin%20Center.%20Configuring%20forwarding%20from%20Microsoft%20365%20Admin%20Center%20will%20set%20the%20%3CSTRONG%3EForwardingSmtpAddress%20%3C%2FSTRONG%3Eparameter%20on%20the%20mailbox%20(but%20will%20show%20if%20%3CSTRONG%3EForwardingAddress%3C%2FSTRONG%3E%20is%20populated).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH1%20id%3D%22toc-hId--561502498%22%20id%3D%22toc-hId--561502498%22%3EControlling%20automatic%20forwarding%3C%2FH1%3E%0A%3CP%3EAdministrators%20have%20several%20methods%20to%20prevent%20and%20regulate%20automatic%20forwarding%20of%20emails%20outside%20the%20organization%3A%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-129058976%22%20id%3D%22toc-hId-129058976%22%3EExternal%20email%20forward%20control%20using%20Outbound%20spam%20filter%20policy%3C%2FH2%3E%0A%3CP%3ERecently%20released%2C%20this%20feature%20is%20available%20in%20Security%20%26amp%3B%20Compliance%20portal%20under%20Outbound%20spam%20filter%20policy%20(to%20get%20the%20exact%20portal%20page%2C%20go%20%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Fantispam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%20As%20you%20see%20in%20the%20following%20screenshot%2C%20there%20are%20three%20possible%20options.%20The%20default%20configuration%20is%20%E2%80%9CAutomatic%20system-controlled.%E2%80%9D%20Other%20options%20are%20Off%20and%20On.%20%E2%80%9COff%E2%80%9D%20means%20auto%20forward%20is%20disabled%20and%20%E2%80%9COn%E2%80%9D%20means%20auto%20forward%20is%20enabled.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ForwardingRevisited01.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247482i07E8C8DD8F5DF831%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ForwardingRevisited01.jpg%22%20alt%3D%22ForwardingRevisited01.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22note%22%3ENote%3A%20If%20you%20see%20the%20option%20is%20set%20as%20%E2%80%9CAutomatic%20system-controlled%E2%80%9D%2C%20most%20probably%20you%20have%20not%20configured%20the%20setting%20at%20all.%20For%20tenants%20where%20the%20setting%20is%20left%20at%20%E2%80%9CAutomatic%20system-controlled%E2%80%9D%2C%20as%20we%20continue%20to%20move%20the%20service%20toward%20being%20more%20secure%20by%20default%2C%20this%20setting%20will%20be%20enforced%20and%20behave%20as%20%E2%80%9COff%E2%80%9D%20(forwarding%20disabled).%20This%20enforcement%20process%20has%20started%20in%20phases%20and%20very%20soon%2C%20all%20tenants%20will%20get%20this%20setting%20enforced.%20Therefore%2C%20%E2%80%9CAutomatic%20system-controlled%E2%80%9D%20will%20behave%20as%20%E2%80%9COff%E2%80%9D%20and%20automatic%20forwarding%20will%20not%20work.%20Our%20recommendation%20is%20that%20all%20customers%20should%20configure%20the%20policy%20as%20appropriate%20for%20their%20organization%20and%20enable%20external%20auto%20forwarding%20only%20for%20the%20users%20who%20really%20need%20it%20(by%20leaving%20the%20default%20policy%20in%20disabled%20state%2C%20creating%20a%20different%20policy%20that%20allows%20forwarding%20and%20then%20assigning%20it%20to%20specific%20mailboxes%20only).%20If%20for%20your%20tenant%2C%20%E2%80%9CAutomatic%20system-controlled%E2%80%9D%20still%20does%20not%20block%20email%20forwarding%2C%20you%20should%20make%20this%20change%20as%20soon%20as%20possible%20(as%20soon%2C%20it%20will).%3C%2FP%3E%0A%3CP%3EAdvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIt%20blocks%20all%20types%20of%20auto%20forwarding%20including%20%3CSTRONG%3EForwardingAddress%20and%20ForwardingSmtpAddress%3C%2FSTRONG%3E%20mailbox%20parameters.%3C%2FLI%3E%0A%3CLI%3EBlocks%20redirect%20rules%20configured%20using%20Outlook.%3C%2FLI%3E%0A%3CLI%3EA%20NDR%20is%20sent%20back%20to%20the%20mailbox%20that%20configured%20auto%20forwarding%20to%20external%20user%20if%20the%20policy%20is%20set%20to%20block%20automatic%20forwarding%20for%20that%20mailbox.%20The%20NDR%20will%20contain%20the%20following%20diagnostic%20information%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3ERemote%20Server%20returned%20'550%205.7.520%20Access%20denied%2C%20Your%20organization%20does%20not%20allow%20external%20forwarding.%20Please%20contact%20your%20administrator%20for%20further%20assistance.%20AS(7550)'%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEasier%20to%20configure%20and%20administrators%20can%20selectively%20allow%2Fblock%20external%20auto%20forwarding%20for%20a%20few%20or%20all%20mailboxes.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EDisadvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EForwarding%20using%20Power%20Automate%20(Flow)%20is%20not%20covered%20as%20of%20now.%20To%20block%20external%20forwarding%20which%20is%20setup%20using%20Power%20Automate%2C%20follow%20the%20steps%20mentioned%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpower-platform%2Fadmin%2Fblock-forwarded-email-from-power-automate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEmail%20exfiltration%20controls%20for%20connectors%3C%2FA%3E%20article.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId--1678395487%22%20id%3D%22toc-hId--1678395487%22%3EBlock%20automatic%20forwarding%20using%20Remote%20Domains%3C%2FH2%3E%0A%3CP%3EThis%20option%20is%20available%20under%20the%20Mail%20flow%20tab%20in%20the%20new%20Exchange%20Admin%20Center%20preview%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ForwardingRevisited02.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247483i2A09437607FE91E4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ForwardingRevisited02.jpg%22%20alt%3D%22ForwardingRevisited02.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ForwardingRevisited03.jpg%22%20style%3D%22width%3A%20529px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247484i6CEEEE081D567BD2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ForwardingRevisited03.jpg%22%20alt%3D%22ForwardingRevisited03.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAdvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThis%20setting%20can%20block%20auto%20forward%20rules%20configured%20using%20Outlook%20inbox%20rules%20as%20well%20as%20Outlook%20on%20the%20web%20options%20(ForwardingSmtpAddress%20parameter)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EDisadvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDoes%20not%20block%20forwarding%20set%20from%20the%20properties%20of%20the%20mailbox%20by%20the%20administrator%20using%20EAC%20(ForwardingAddress%20parameter)%3C%2FLI%3E%0A%3CLI%3EThis%20blocks%20auto%20forward%20to%20the%20specific%20remote%20domain.%20There%20is%20no%20granular%20control%20%E2%80%93%20cannot%20allow%20forwarding%20for%20certain%20users%2C%20and%20block%20for%20others.%3C%2FLI%3E%0A%3CLI%3EThe%20user%20is%20not%20notified%20that%20their%20auto%20forwarded%20message%20is%20dropped%2C%20no%20rejection%20(NDR)%20is%20sent.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-809117346%22%20id%3D%22toc-hId-809117346%22%3EBlock%20auto%20forward%20using%20a%20transport%20rule%3C%2FH2%3E%0A%3CP%3EYou%20can%20create%20a%20transport%20rule%20from%20Exchange%20Admin%20Center%20%26gt%3B%20Mail%20Flow%20%26gt%3B%20Rules%20to%20block%20automatic%20forward%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ForwardingRevisited04.jpg%22%20style%3D%22width%3A%20858px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247486i9407C1E2F7504545%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ForwardingRevisited04.jpg%22%20alt%3D%22ForwardingRevisited04.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAdvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllows%20granular%20control%20on%20conditions%20and%20actions.%3C%2FLI%3E%0A%3CLI%3EAdmins%20have%20the%20option%20to%20send%20rejection%20message%20(NDR).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EDisadvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMatches%20auto%20forward%20messages%20based%20on%20message%20class%20(IPM.note.forward).%20The%20Outlook%20web%20app%20forwarding%20(ForwardingSmtpAddress)%20or%20forwarding%20set%20by%20the%20admins%20on%20the%20properties%20of%20the%20mailbox%20(ForwardingAddress)%20have%20normal%20message%20class%20(IPM.Note)%2C%20so%20transport%20rules%20won%E2%80%99t%20block%20them.%3C%2FLI%3E%0A%3CLI%3EDifficult%20to%20manage%20at%20times%20when%20too%20many%20transport%20rules%20are%20configured.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId--998337117%22%20id%3D%22toc-hId--998337117%22%3EHiding%20auto%20forward%20options%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fpermissions-exo%2Fpermissions-exo%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERole%20Based%20Access%20Control%20(RBAC)%20RBAC%20%3C%2FA%3E%3C%2FH2%3E%0A%3CP%3EWhile%20this%20is%20not%20really%20a%20method%20of%20blocking%20forwarding%2C%20it%20is%20related%20in%20a%20way%20that%20it%20can%20help%20remove%20forwarding%20options%20from%20users%20if%20they%20are%20using%20Outlook%20on%20the%20web.%3C%2FP%3E%0A%3CP%3EAdvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20OWA%2C%20users%20simply%20do%20not%20see%20the%20option%20to%20setup%20forwarding%20in%20their%20mail%20options%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EDisadvantages%20of%20this%20method%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDoes%20not%20remove%20the%20option%20in%20Outlook%20desktop.%3C%2FLI%3E%0A%3CLI%3EAny%20forwarding%20that%20was%20already%20configured%20will%20continue%20to%20work.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-1489175716%22%20id%3D%22toc-hId-1489175716%22%3EOverview%3C%2FH2%3E%0A%3CP%3EIf%20you%20want%20to%20quickly%20compare%20various%20methods%2C%20you%20can%20refer%20to%20the%20following%20table%3A%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3E%3CSTRONG%3EAutomatic%20forwarding%20option%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3E%3CSTRONG%3ERemote%20domain%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3E%3CSTRONG%3ETransport%20rule%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3E%3CSTRONG%3EOutbound%20spam%20filter%20policy%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3EBlock%20Outlook%20forwarding%20using%20inbox%20rules%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3EBlock%20Outlook%20forwarding%20configured%20using%20OOF%20rule%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3EBlock%20OWA%20forwarding%20setting%20(ForwardingSmtpAddress)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3EBlock%20forwarding%20set%20by%20the%20admin%20using%20EAC%20(ForwardingAddress)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3EBlock%20forwarding%20using%20Power%20Automate%20%2F%20Flow%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3EDoes%20the%20sender%20get%20NDR%20when%20auto%20forward%20is%20blocked%3F%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22390%22%3E%3CP%3ECustomization%20and%20granular%20control%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2284%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22120%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CH2%20id%3D%22toc-hId--318278747%22%20id%3D%22toc-hId--318278747%22%3EWhat%20happens%20if%20auto%20forward%20is%20controlled%20in%20multiple%20places%20mentioned%20above%3F%3C%2FH2%3E%0A%3CP%3EOne%20question%20we%20encounter%20frequently%20is%2C%20how%20all%20these%20techniques%20work%20together%3F%20What%20if%20auto%20forward%20is%20blocked%20in%20one%20of%20the%20above%20methods%20but%20allowed%20in%20another%3F%20For%20example%2C%20auto%20forward%20is%20blocked%20by%20a%20remote%20domain%20setting%20or%20a%20transport%20rule%20but%20allowed%20in%20Outbound%20spam%20filter%20policy%3B%20what%20happens%3F%20The%20answer%20to%20that%20is%20that%20a%20restriction%20in%20one%20place%20will%20restrict%20auto%20forward%20for%20all.%3C%2FP%3E%0A%3CP%3EFor%20example%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAutomatic%20forwarding%20is%20On%20(allowed)%20in%20the%20Outbound%20spam%20filter%20policy.%3C%2FLI%3E%0A%3CLI%3EAutomatic%20forwarding%20is%20disabled%20for%20the%20remote%20domain.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWill%20the%20automatically%20forwarded%20message%20be%20blocked%20by%20the%20remote%20domain%3F%20%3CSTRONG%3EYes%2C%20remote%20domain%20would%20block%20automatic%20forward%20as%20would%20an%20%3C%2FSTRONG%3E%3CSTRONG%3EExchange%20transport%20rule.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EDepending%20on%20what%20you%20want%20to%20achieve%2C%20you%20can%20use%20combination%20of%20above%20features.%20There%E2%80%99s%20no%20one%20size%20fits%20all%20option.%20You%20can%20implement%20all%20four%20options%20if%20you%20really%20want%2C%20depending%20on%20your%20requirement.%20For%20example%2C%20the%20remote%20domain%20option%20controls%20the%20recipient%20domain%20and%20comes%20handy%20if%20you%20want%20to%20restrict%20auto%20forwarding%20for%20all%20except%20a%20few%20external%20domains.%20Outbound%20spam%20filter%20policies%20on%20the%20other%20hand%20can%20control%20the%20sender.%20If%20you%20want%20to%20allow%20external%20auto%20forwarding%20for%20only%20a%20few%20mailboxes%20(users%20with%20genuine%20business%20requirements%20to%20configure%20automatic%20forwarding)%20and%20block%20external%20auto%20forwarding%20for%20everyone%20else%2C%20Outbound%20spam%20filter%20policy%20is%20most%20preferred.%20Or%20you%20can%20use%20combination%20of%20these%20two%20options%20if%20you%20want%20to%20allow%20auto%20forwarding%20only%20for%20few%20mailboxes%20and%20to%20only%20a%20few%20external%20domains.%20Here%20is%20another%20example%20which%20is%20slightly%20more%20complex%3A%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20say%20you%20have%20the%20following%20requirements%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBy%20default%2C%20automatic%20forwarding%20should%20be%20blocked.%3C%2FLI%3E%0A%3CLI%3EAutomatic%20forwarding%20to%20an%20external%20domain%20contoso.com%20should%20be%20allowed%20for%20all%20users.%3C%2FLI%3E%0A%3CLI%3EAllow%20users%20Jack%20and%20Jill%20to%20also%20be%20able%20to%20forward%20to%20northwindtraders.com%2C%20but%20no%20one%20else.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThere%20are%20multiple%20methods%20to%20achieve%20this%2C%20the%20following%20is%20one%20such%20solution%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EKeep%20the%20new%20external%20forwarding%20control%20under%20Outbound%20spam%20filter%20policy%20setting%20to%20%E2%80%9COn%E2%80%9D.%3C%2FLI%3E%0A%3CLI%3EDisable%20automatic%20forward%20for%20default%20*%20domain%20in%20remote%20domain%20setting.%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20new%20remote%20domain%20for%20contoso.com%20and%20northwindtraders.com%20and%20allow%20automatic%20forward%20for%20these%20remote%20domains.%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20transport%20rule%20to%20block%20auto%20forward%20from%20all%20to%20northwindtraders.com%20but%20put%20an%20exception%20for%20users%20Jack%20and%20Jill.%3C%2FLI%3E%0A%3CLI%3EAs%20transport%20rule%20will%20not%20block%20forwarding%20set%20using%20Outlook%20on%20the%20web%20(ForwardingSMTPAddress%20parameter)%20you%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fpetri.com%2Fstop-owa-users-autoforwarding-email%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ERBAC%20rule%20to%20stop%20users%20from%20creating%20auto%20forward%20setting%20from%20OWA%3C%2FEM%3E%3C%2FA%3E%3CEM%3E.%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3EBut%20wait%2C%20there%20is%20more!%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3ETo%20protect%20you%20further%20from%20attackers%20if%20a%20user%20mailbox%20is%20compromised%20(and%20for%20whom%20external%20automatic%20forward%20could%20be%20enabled%20without%20their%20knowledge)%2C%20a%20new%20Email%20Forward%20Alert%20Policy%20has%20been%20released%20recently%20which%20is%20available%20under%20Alert%20Policies%20of%20our%20Security%20%26amp%3B%20Compliance%20portal.%20It%20is%20called%20%E2%80%9CSuspicious%20Email%20Forwarding%20Activity.%E2%80%9D%20This%20new%20alert%20will%20track%20all%20%22forwarding%20scenarios%22%20and%20detects%20when%20a%20user%20has%20automated%20the%20sending%20of%20messages%20external%20to%20the%20organization%20.%20Once%20we%20find%20any%20suspicious%20activity%2C%20we%20will%20alert%20the%20tenant%20administrator%20once%20per%20day%20as%20long%20as%20the%20user%20continues%20to%20forward%20to%20that%20external%20recipient%20.%20This%20policy%20has%20a%20Medium%20severity%20setting.%20Although%20it%20is%20rare%2C%20an%20alert%20generated%20by%20this%20policy%20may%20be%20an%20anomaly.%20Administrators%20should%20always%20check%20to%20confirm%20whether%20the%20user%20account%20is%20compromised.%20A%20screenshot%20of%20the%20policy%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ForwardingRevisited05.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247487i6A8112013FBAC383%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ForwardingRevisited05.jpg%22%20alt%3D%22ForwardingRevisited05.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EA%20sample%20alert%20sent%20to%20the%20administrator%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ForwardingRevisited06.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247488i4DC4C15D8000540E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ForwardingRevisited06.jpg%22%20alt%3D%22ForwardingRevisited06.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThat%E2%80%99s%20it%20for%20now!%20Hope%20you%20find%20this%20helpful.%20I%20also%20want%20to%20take%20a%20moment%20to%20thank%20Mike%20Brown%2C%20Nino%20Bilic%20for%20reviewing%20this.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EArindam%20Thokder%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2074888%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20important%20for%20administrators%20to%20know%20of%20all%20mailboxes%20that%20have%20forwarding%20enabled%20and%20where%20the%20mail%20is%20been%20forwarded%20to%20and%20how%20to%20control%20email%20forwarding.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2074888%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20'n%20Tricks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etransport%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etroubleshooting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

We realize that many customers have genuine business requirements to configure automatic email forwarding. On the other hand, email forwarding may lead to data leakage. For example, if we have a compromised account, the attacker might create a forwarding rule for a particular mailbox, and the user might be unaware that their mail is being forwarded. This is a very common tactic used when accounts are compromised.

It is therefore important for administrators to know all mailboxes that have forwarding enabled and where the mail is been forwarded to. We have various insights and alerts that help administrators monitor such activities, but prevention is always better than the cure. In this blog post, we thought to revisit (and update) various auto forward controls, how they work together and how they can help you achieve a requirement of allowing automatic forwarding for users who really need this feature.

Various ways to set up forwarding

Before discussing how to control automatic forwarding, let’s review a few different ways in which automatic forwarding can be setup:

  • A forwarding rule can be setup within the Rules wizard in Outlook on the desktop. User can set this Automatic forwarding from Outlook > File > Manage Rules and Alerts. Using Outlook on the web, this can be done using Inbox rules.
  • User can also configure automatic forwarding while creating Out of Office rule in Outlook on the desktop. File > Automatic Replies (Out of Office) > Rules > Add Rule > Forward To option. Note that although OOF replies are sent only once per sender, this rule will forward emails for every message as long as OOF is enabled.
  • Using Outlook on the web (OWA) the user can also set the ForwardingSmtpAddress parameter on the mailbox. This option is available via Settings > Mail > Forwarding.
  • Users can also set auto forward using Power Automate (used to be called Microsoft Flow).
  • Administrators can configure forwarding from the properties of the mailbox from Exchange Admin Center. This option is available under “Manage Mail flow settings” in classic EAC, or user properties in the preview version of EAC. Configuring automatic forwarding from the properties of the mailbox will populate the ForwardingAddress parameter on the mailbox.
  • Administrators can also configure forwarding from Microsoft 365 Admin Center. Configuring forwarding from Microsoft 365 Admin Center will set the ForwardingSmtpAddress parameter on the mailbox (but will show if ForwardingAddress is populated).

Controlling automatic forwarding

Administrators have several methods to prevent and regulate automatic forwarding of emails outside the organization:

External email forward control using Outbound spam filter policy

Recently released, this feature is available in Security & Compliance portal under Outbound spam filter policy (to get the exact portal page, go here). As you see in the following screenshot, there are three possible options. The default configuration is “Automatic system-controlled.” Other options are Off and On. “Off” means auto forward is disabled and “On” means auto forward is enabled.

ForwardingRevisited01.jpg

Note: If you see the option is set as “Automatic system-controlled”, most probably you have not configured the setting at all. For tenants where the setting is left at “Automatic system-controlled”, as we continue to move the service toward being more secure by default, this setting will be enforced and behave as “Off” (forwarding disabled). This enforcement process has started in phases and very soon, all tenants will get this setting enforced. Therefore, “Automatic system-controlled” will behave as “Off” and automatic forwarding will not work. Our recommendation is that all customers should configure the policy as appropriate for their organization and enable external auto forwarding only for the users who really need it (by leaving the default policy in disabled state, creating a different policy that allows forwarding and then assigning it to specific mailboxes only). If for your tenant, “Automatic system-controlled” still does not block email forwarding, you should make this change as soon as possible (as soon, it will).

Advantages of this method:

  • It blocks all types of auto forwarding including ForwardingAddress and ForwardingSmtpAddress mailbox parameters.
  • Blocks redirect rules configured using Outlook.
  • A NDR is sent back to the mailbox that configured auto forwarding to external user if the policy is set to block automatic forwarding for that mailbox. The NDR will contain the following diagnostic information:

Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7550)'

 

  • Easier to configure and administrators can selectively allow/block external auto forwarding for a few or all mailboxes.

Disadvantages of this method:

  • Forwarding using Power Automate (Flow) is not covered as of now. To block external forwarding which is setup using Power Automate, follow the steps mentioned in our Email exfiltration controls for connectors article.

Block automatic forwarding using Remote Domains

This option is available under the Mail flow tab in the new Exchange Admin Center preview:

ForwardingRevisited02.jpg

ForwardingRevisited03.jpg

Advantages of this method:

  • This setting can block auto forward rules configured using Outlook inbox rules as well as Outlook on the web options (ForwardingSmtpAddress parameter)

Disadvantages of this method:

  • Does not block forwarding set from the properties of the mailbox by the administrator using EAC (ForwardingAddress parameter)
  • This blocks auto forward to the specific remote domain. There is no granular control – cannot allow forwarding for certain users, and block for others.
  • The user is not notified that their auto forwarded message is dropped, no rejection (NDR) is sent.

Block auto forward using a transport rule

You can create a transport rule from Exchange Admin Center > Mail Flow > Rules to block automatic forward:

ForwardingRevisited04.jpg

Advantages of this method:

  • Allows granular control on conditions and actions.
  • Admins have the option to send rejection message (NDR).

Disadvantages of this method:

  • Matches auto forward messages based on message class (IPM.note.forward). The Outlook web app forwarding (ForwardingSmtpAddress) or forwarding set by the admins on the properties of the mailbox (ForwardingAddress) have normal message class (IPM.Note), so transport rules won’t block them.
  • Difficult to manage at times when too many transport rules are configured.

Hiding auto forward options using Role Based Access Control (RBAC) RBAC

While this is not really a method of blocking forwarding, it is related in a way that it can help remove forwarding options from users if they are using Outlook on the web.

Advantages of this method:

  • In OWA, users simply do not see the option to setup forwarding in their mail options

Disadvantages of this method:

  • Does not remove the option in Outlook desktop.
  • Any forwarding that was already configured will continue to work.

Overview

If you want to quickly compare various methods, you can refer to the following table:

Automatic forwarding option

Remote domain

Transport rule

Outbound spam filter policy

Block Outlook forwarding using inbox rules 

Yes

Yes

Yes

Block Outlook forwarding configured using OOF rule 

Yes

Yes

Yes

Block OWA forwarding setting (ForwardingSmtpAddress)

Yes

No

Yes

Block forwarding set by the admin using EAC (ForwardingAddress)

No

No

Yes

Block forwarding using Power Automate / Flow

No

Yes

No

Does the sender get NDR when auto forward is blocked?

No

Yes

Yes

Customization and granular control

No

Yes

Yes

What happens if auto forward is controlled in multiple places mentioned above?

One question we encounter frequently is, how all these techniques work together? What if auto forward is blocked in one of the above methods but allowed in another? For example, auto forward is blocked by a remote domain setting or a transport rule but allowed in Outbound spam filter policy; what happens? The answer to that is that a restriction in one place will restrict auto forward for all.

For example:

  • Automatic forwarding is On (allowed) in the Outbound spam filter policy.
  • Automatic forwarding is disabled for the remote domain.

Will the automatically forwarded message be blocked by the remote domain? Yes, remote domain would block automatic forward as would an Exchange transport rule.

Depending on what you want to achieve, you can use combination of above features. There’s no one size fits all option. You can implement all four options if you really want, depending on your requirement. For example, the remote domain option controls the recipient domain and comes handy if you want to restrict auto forwarding for all except a few external domains. Outbound spam filter policies on the other hand can control the sender. If you want to allow external auto forwarding for only a few mailboxes (users with genuine business requirements to configure automatic forwarding) and block external auto forwarding for everyone else, Outbound spam filter policy is most preferred. Or you can use combination of these two options if you want to allow auto forwarding only for few mailboxes and to only a few external domains. Here is another example which is slightly more complex:

Let’s say you have the following requirements:

  • By default, automatic forwarding should be blocked.
  • Automatic forwarding to an external domain contoso.com should be allowed for all users.
  • Allow users Jack and Jill to also be able to forward to northwindtraders.com, but no one else.

There are multiple methods to achieve this, the following is one such solution:

  • Keep the new external forwarding control under Outbound spam filter policy setting to “On”.
  • Disable automatic forward for default * domain in remote domain setting.
  • Create a new remote domain for contoso.com and northwindtraders.com and allow automatic forward for these remote domains.
  • Create a transport rule to block auto forward from all to northwindtraders.com but put an exception for users Jack and Jill.
  • As transport rule will not block forwarding set using Outlook on the web (ForwardingSMTPAddress parameter) you can use RBAC rule to stop users from creating auto forward setting from OWA.

But wait, there is more!

To protect you further from attackers if a user mailbox is compromised (and for whom external automatic forward could be enabled without their knowledge), a new Email Forward Alert Policy has been released recently which is available under Alert Policies of our Security & Compliance portal. It is called “Suspicious Email Forwarding Activity.” This new alert will track all "forwarding scenarios" and detects when a user has automated the sending of messages external to the organization​. Once we find any suspicious activity, we will alert the tenant administrator once per day as long as the user continues to forward to that external recipient​. This policy has a Medium severity setting. Although it is rare, an alert generated by this policy may be an anomaly. Administrators should always check to confirm whether the user account is compromised. A screenshot of the policy:

ForwardingRevisited05.jpg

A sample alert sent to the administrator:

ForwardingRevisited06.jpg

That’s it for now! Hope you find this helpful. I also want to take a moment to thank Mike Brown, Nino Bilic for reviewing this.

Arindam Thokder

15 Comments
Occasional Visitor

Good to see thi new feature implementation with New Exchange Admin center 

Looking for more updates in future. Keep up the hard work :thumbs_up:

Occasional Visitor

Good one Arindam

I wonder if this change in any way part of a Message Center announcement?

 

New Contributor

There is a 6th way to set up automatic forwarding which is currently well hidden and cannot be interrogated via the Exchange Admin Center or PowerShell,

 

In the Outlook client, go to File / Automatic Replies (Out of Office) / Rules... / Add Rule... / Forward / To

This is actually a security hole as I believe if a hacker sets up forwarding here, it does not trigger the normal 'mail forwarding' alerts'.

 

Please could you mention this in the first few bullet points and document whether it is blocked by the above methods (Remote Domain / Transport Rule / Outbound spam filter policy)?

 

There is also an outstanding UserVoice request to allow administrators to audit this setting via Exchange Admin Center and PowerShell. At present this seems to be a security blind spot in Office 365 as an administrator cannot check the status of this setting.

 

Any attention that can be drawn to this outstanding issue would be appreciated.

 

https://social.technet.microsoft.com/Forums/msonline/en-US/642d571f-2f1a-4fc4-bb84-5dd86df7dee6/outl...

 

https://github.com/MicrosoftDocs/office-docs-powershell/issues/1708

 

https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/35353714-use-powershell-t...

 

Microsoft

@Thomas Stensitzki - I am assuming that you are referring to the Outbound spam filter policy change? If so - message center posts on that started back in July 2020...

Thank you @Nino Bilic. It would be helpful if the corresponding message center ID or a roadmap ID would be linked in this or future posts.

Regarding the different ways of blocking/disallowing external forwarding, it would be interesting, if any or all of these options are analyzed by security and compliance score.

Microsoft

@ChrisAtMaf Thanks for pointing that out. We are adding about forwarding configured through OOF template and the expected behavior of various blocking method when Automatic Forward is configured from OOF template. 

 

Microsoft

@ChrisAtMaf - we have now added this; thanks! To be clear - this only works while OOF is turned on (and that is definitely visible to end users). Good call!

Super Contributor

The table above that says Transport rule blocks Outlook Rules is incomplete because you can create an Outlook Rule that uses the "Redirect" message and that will bypass the transport rule block. In our testing, only the Remote Domain option will block the Outlook Rule that uses the Redirect method. This redirect method is also not blocked with the new “Automatic system-controlled” control.

Microsoft

@Joe Stocker - Hi Joe, this blog is mainly for Automatic Forward Rule, that's why we mentioned "Block Outlook forwarding using inbox rules" in the table to make it clear. By the way "Redirect rule" can be blocked by the  Outbound spam filter policy as well based on my earlier testing.

New Contributor

@Nino Bilic Hey, appreciate that - good to know the article is comprehensive. Re user visibility, that's right - but if an account gets hacked in the mean time, there's currently no visibility for an administrator - nor can it be administratively disabled without resetting the user's password as far as I am aware. I don't think the Security & Compliance 'Forwarding report' (https://protection.office.com/reportv2?id=MailFlowForwarding&pivot=Name), for example, reports it. For something that allows hackers to exfiltrate as much mailbox data as they like once they've hacked the account - that's a big blind spot :)

Microsoft

@ChrisAtMaf  - actually, administrator CAN modify user's OOF message without resetting the user password. It's been a few years that the functionality has been in Microsoft 365 Admin Center (Users > Active users > click on the user that has an Exchange license > Mail tab > Automatic replies).

That being said - you first have to know that this is turned on and I need to check if the Forwarding report calls this out (I would be surprised if it does not, but I will check).

Also note that users themselves will get a notification when they launch a client that their OOF is turned on. Still does not address what you mean exactly, but it is something that users will be aware of, if enabled.

Senior Member

What are the options for Exchange Server 2016/2019 on premises? 

 

Microsoft

@IT-Engineer - apart from forward control using Outbound spam filter policy, other options are available to regulate External Autoforwarding for Exchange Server 2016/2019 on premises

Microsoft

@ChrisAtMaf - Also, the Security & Compliance 'Forwarding report' (https://protection.office.com/reportv2?id=MailFlowForwarding&pivot=Name), does show the Forwarding configured from OOF templet.