Update: Starting November 2022, protection.microsoft.com URL does not work anymore. Please go to security.microsoft.com instead for the AntiSpam feature mentioned in this post.
We realize that many customers have genuine business requirements to configure automatic email forwarding. On the other hand, email forwarding may lead to data leakage. For example, if we have a compromised account, the attacker might create a forwarding rule for a particular mailbox, and the user might be unaware that their mail is being forwarded. This is a very common tactic used when accounts are compromised.
It is therefore important for administrators to know all mailboxes that have forwarding enabled and where the mail is been forwarded to. We have various insights and alerts that help administrators monitor such activities, but prevention is always better than the cure. In this blog post, we thought to revisit (and update) various auto forward controls, how they work together and how they can help you achieve a requirement of allowing automatic forwarding for users who really need this feature.
Before discussing how to control automatic forwarding, let’s review a few different ways in which automatic forwarding can be setup:
Administrators have several methods to prevent and regulate automatic forwarding of emails outside the organization:
Recently released, this feature is available in (updated) Microsoft 365 Defender portal under Outbound spam filter policy (to get the exact portal page, go here). As you see in the following screenshot, there are three possible options. The default configuration is “Automatic system-controlled.” Other options are Off and On. “Off” means auto forward is disabled and “On” means auto forward is enabled.
Note: If you see the option is set as “Automatic system-controlled”, most probably you have not configured the setting at all. For tenants where the setting is left at “Automatic system-controlled”, as we continue to move the service toward being more secure by default, this setting will be enforced and behave as “Off” (forwarding disabled). This enforcement process has started in phases and very soon, all tenants will get this setting enforced. Therefore, “Automatic system-controlled” will behave as “Off” and automatic forwarding will not work. Our recommendation is that all customers should configure the policy as appropriate for their organization and enable external auto forwarding only for the users who really need it (by leaving the default policy in disabled state, creating a different policy that allows forwarding and then assigning it to specific mailboxes only). If for your tenant, “Automatic system-controlled” still does not block email forwarding, you should make this change as soon as possible (as soon, it will).
When external automatic forwarding is blocked by Outbound spam filter policy, a NDR is sent back to the original sender and not the mailbox that is forwarding the message. The NDR will contain the following diagnostic information:
Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7550)'
Advantages of this method:
Disadvantages of this method:
This option is available under the Mail flow tab in the new Exchange Admin Center preview:
Advantages of this method:
Disadvantages of this method:
You can create a transport rule from Exchange Admin Center > Mail Flow > Rules to block automatic forward:
Advantages of this method:
Disadvantages of this method:
While this is not really a method of blocking forwarding, it is related in a way that it can help remove forwarding options from users if they are using Outlook on the web.
Advantages of this method:
Disadvantages of this method:
If you want to quickly compare various methods, you can refer to the following table:
Automatic forwarding option |
Remote domain |
Transport rule |
Outbound spam filter policy |
Block Outlook forwarding using inbox rules |
Yes |
Yes |
Yes |
Block Outlook forwarding configured using OOF rule |
Yes |
Yes |
Yes |
Block OWA forwarding setting (ForwardingSmtpAddress) |
Yes |
No |
Yes |
Block external forwarding set by the admin using EAC (ForwardingSMTPAddress) |
Yes |
No |
Yes |
Block forwarding using Power Automate / Flow |
No |
Yes |
No |
Does the sender get NDR when auto forward is blocked? |
No |
Yes |
Yes |
Customization and granular control |
No |
Yes |
Yes |
One question we encounter frequently is, how all these techniques work together? What if auto forward is blocked in one of the above methods but allowed in another? For example, auto forward is blocked by a remote domain setting or a transport rule but allowed in Outbound spam filter policy; what happens? The answer to that is that a restriction in one place will restrict auto forward for all.
For example:
Will the automatically forwarded message be blocked by the remote domain? Yes, remote domain would block automatic forward as would an Exchange transport rule.
Depending on what you want to achieve, you can use combination of above features. There’s no one size fits all option. You can implement all four options if you really want, depending on your requirement. For example, the remote domain option controls the recipient domain and comes handy if you want to restrict auto forwarding for all except a few external domains. Outbound spam filter policies on the other hand can control the sender. If you want to allow external auto forwarding for only a few mailboxes (users with genuine business requirements to configure automatic forwarding) and block external auto forwarding for everyone else, Outbound spam filter policy is most preferred. Or you can use combination of these two options if you want to allow auto forwarding only for few mailboxes and to only a few external domains. Here is another example which is slightly more complex:
Let’s say you have the following requirements:
There are multiple methods to achieve this, the following is one such solution:
But wait, there is more!
To protect you further from attackers if a user mailbox is compromised (and for whom external automatic forward could be enabled without their knowledge), a new Email Forward Alert Policy has been released recently which is available under Alert Policies of our Security & Compliance portal. It is called “Suspicious Email Forwarding Activity.” This new alert will track all "forwarding scenarios" and detects when a user has automated the sending of messages external to the organization. Once we find any suspicious activity, we will alert the tenant administrator once per day as long as the user continues to forward to that external recipient. This policy has a Medium severity setting. Although it is rare, an alert generated by this policy may be an anomaly. Administrators should always check to confirm whether the user account is compromised. A screenshot of the policy:
A sample alert sent to the administrator:
That’s it for now! Hope you find this helpful. I also want to take a moment to thank Mike Brown, Nino Bilic for reviewing this.
Arindam Thokder
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.