Securing Email Forwarding in Exchange Online

Best Practices for Administrators

The 2 types of e-mails forwarding

Email forwarding in Exchange Online can be configured in two places:

1) Inbox Rules Forwarding (Outlook)

Normal Users can configure forwarding by creating inbox rules to automatically forward emails to another address directly from the Outlook application :

broken image


2) SMTP Forwarding (Exchange Admin Portal)

Administrative users can set up SMTP forwarding to redirect emails to another address directly from the Exchange Admin Center.

broken image

How to audit e-mails forwarding in your organization?

To audit e-mails forwarding in your organization you can connect to the new Exchange Online report showcasing all forwarded messages :

broken image

Or you could run some Powershell commands like the ones described in the article here :

You can also set alerts to be alerted whenever a forwarding rule is configured :

From there, you might have noticed forwards that appear legitimate from a business perspective.

However, there might also be e-mail forwards to personal mailboxes or unknown domains that you wish to prevent.

How to restrict the domains that are allowed to received forwarded e-mails?

Here’s how you can manage and restrict such forwarding:

1- Configure the Default Outbound Anti-Spam Policy:

Enable automatic forwarding in the default outbound anti-spam policy.

broken image

If automatic forwarding is blocked at this level, all forwarded emails will be stopped. Since it’s necessary to allow forwarding to certain domains (For example to forward invoices to the mailbox used by an automatic invoices management SaaS solution), this setting should be enabled.

2- Configure “Remote Domains” Rules:

Establish rules for “remote domains” to authorize the forwarding of emails to specific domains that are considered legitimate and safe for receiving forwarded emails :

broken image

3- Adjust the Default “Remote Domains” Rule:

Modify the default “remote domains” rule to block forwarded emails unless a domain has been specifically authorized as outlined in step 2 :

broken image

If you would like to further control who is authorized to forward emails to the approved remote domains, follow these two additional steps:

4- Create an outbound antispam policy to authorize a list of users to forward e-mails :

broken image

5- Configure the “default” outbound antispam policy to disallow automatic forwarding :

broken image

By implementing these five steps, you will have effectively controlled automatic email forwarding within your organization.

Your organization is now protected against data leaks through the forwarding of emails to external entities over which you have no control.

Official documentation from Microsoft :