Aug 14 2019 04:41 AM
Hello
We have a rule setup on Exchange online which successfully blocks emails that satisfy a "Block Automatic forwarding of mail to external domains" policy rule.
I can see the report which shows a "rule hit" and get an email notification every time the rule is hit as well. I don't, however, see a report of the evidence of the blocked emails. Is this possible?
So "Show me a list of actual blocked emails" rather than "show me a list of rule hits" if that makes sense.
The problem is I cannot distinguish between rule hits and blocks, as currently, the notification shows:
"Rule Hit: Block Client Forwarding to an external domain, Action: AuditSeverityLevel, RejectMessage, GenerateIncidentReport" but it shows the same message for auto-forwarded emails inside the domain as well.
Hope that makes sense
Thanks in advance
Aug 14 2019 10:29 AM
@Christo De Lange Solution/Workaround -
1. Create a Shared Mailbox dedicated for this specific purpose.
2. In your existing Transport rule for blocking auto-forward to external domains < Add additional action < send a copy / bcc the email to < Newsharedmailbox@domain.com .
3. Apply < ok < Enforced < High Severity audit.
This gives you the copy of email (which are actually blocked from being auto-forwarded)
Test to see if it works, else we can probably go for another workaround in that case. You can have many actions to corresponding conditions defined in a Transport Rule.
Cheers !
Ankit Shukla
Aug 14 2019 10:47 AM
You can get this data from the message trace: https://docs.microsoft.com/en-us/office365/securitycompliance/message-trace-scc