A very popular attack upon breached email accounts since the forwarding feature became available is for the attacker to create a auto-forwarding rule in the users mailbox to essentialy receive a copy of all mail that is sent to that account. This forwarding is extremely quick to set up and not easily found as most users do not regularly check their mailbox rules.

It has become common practice to disable external auto-forwarding as part of a standard build of any mail system and for Exchange Online, it has been built in as an option to disable. Previously this needed to be changed for most tenancies as the default setting “Automatic”, allows auto-forwarding.

As of 16/09/20, Microsoft are rolling out a change to this default setting. Going forward, the “automatic” setting will disable auto-forwarding. Any tenancies which have the default setting should review their requirement for auto-forwarding and assess if it is required.

If auto-forwarding is unavoidable in the organization, there are several options to help protect against malicious attacks.

New inbox rules which set up auto-forwarding can be detected using an alert policy in the Security and Compliance Center to help give visibility of when forwarding rules are enabled. This is a default alert but I’d recommend increasing the severity.

Existing inbox rules can be assessed with some quick Exchange Online PowerShell. For large environments it may be worthwhile exporting this out to CSV for review.

Finally, if auto-forwarding is a must, we can lock down who we auto-forward to. We can do this by first creating a new remote domain in Exchange Online and allowing auto-forwarding on that domain. Then we can freely disable auto-forwarding on the Default remote domain.

Ideally the changes Microsoft are making do not affect your environment as auto-forwarding is not enabled currently but if it is a business requirement, hopefully the above suggestions will help to secure and control auto-forwarding.