3 ways to Protect Exchange Online from Data Exfiltration (Auto-Forwarding Rules)

I – Introduction

Auto-forwarding email rules in Exchange Online can be exploited by attackers to exfiltrate sensitive data. If a compromised account has auto-forwarding enabled, all incoming emails can be silently redirected to an external address, posing a serious security risk. To prevent this, it is essential to block auto-forwarding rules at the organization level.

In this article, we will walk through the steps to prevents auto-forwarding to external domains, enhancing the security of your Microsoft 365 environment.

II – Why Block Auto-Forwarding ?

Attackers often use auto-forwarding as part of their tactics to :

• Exfiltrate sensitive information without triggering user suspicion.
• Maintain persistence in a compromised account.
• Bypass security monitoring by redirecting emails before they reach inbox protections.

By blocking auto-forwarding, organizations can mitigate the risk of unauthorized data transfer and maintain control over email communications.

III – Three ways to Block Auto-Forwarding :

1 – Configure an Exchange Online Mail Flow Rule

To block auto-forwarding, you can create a mail flow rule (also known as a transport rule) in Exchange Online.

Click Save to apply the rule.I – Introduction

Auto-forwarding email rules in Exchange Online can be exploited by attackers to exfiltrate sensitive data. If a compromised account has auto-forwarding enabled, all incoming emails can be silently redirected to an external address, posing a serious security risk. To prevent this, it is essential to block auto-forwarding rules at the organization level.

In this article, we will walk through the steps to prevents auto-forwarding to external domains, enhancing the security of your Microsoft 365 environment.

II – Why Block Auto-Forwarding ?

Attackers often use auto-forwarding as part of their tactics to :

• Exfiltrate sensitive information without triggering user suspicion.
• Maintain persistence in a compromised account.
• Bypass security monitoring by redirecting emails before they reach inbox protections.

By blocking auto-forwarding, organizations can mitigate the risk of unauthorized data transfer and maintain control over email communications.

III – Three ways to Block Auto-Forwarding :

1 – Configure an Exchange Online Mail Flow Rule

To block auto-forwarding, you can create a mail flow rule (also known as a transport rule) in Exchange Online.

1. Sign in to the Exchange Admin Center (EAC).
2. Go to Mail flow > Rules.
3. Click + Add a rule, then select Create a new rule.
4. Name the rule, for example: “Block Auto-Forwarding to External Domains“.
5. Under Apply this rule if, choose The recipient is outside the organization.
6. Add another condition: Message type = AutoForward.
7. Under Do the following, choose Block the message > Reject the message with an explanation.
8. In the explanation box, enter a message like: “Auto-forwarding to external addresses is not allowed by policy.“
9. Add another condition : Generate incident report to (Helpdesk email address)
10. Click Save to apply the rule.

2 – Disable Auto-Forwarding at the Tenant Level through PowerShell

Another layer of protection is to disable auto-forwarding at the tenant level using PowerShell.

Connect to Exchange Online PowerShell:

Connect-ExchangeOnline

Disable Auto-Forwarding to External Domains:

Set-RemoteDomain Default -AutoForwardEnabled $false

This ensures that even if users attempt to set up forwarding rules, they will be blocked at the tenant level.

3 – Block Auto-Forwarding from outbound Policy

• Go to “Microsoft Defender”
• Select Policies & Rules > Threat Policies > Anti-spam policies
• Click “Create Policy” the select “Outbound“

• Give a name to your policy

• Add domaines to use for blocking auto-forward

• Select “Off – Autoforwarding is disabled“
• Add mailbox to notify when someone try to autoforward, I have added “helpdesk” mailbox to automatically open ticket.

• Click “Create“

IV – Monitor and Audit Forwarding Rules

To check for existing forwarding rules, run the following PowerShell command:

Get-Mailbox | Get-InboxRule | Where-Object {$_.ForwardTo -ne $null -or $_.RedirectTo -ne $null} | Select Name, Identity, ForwardTo, RedirectTo 

If you find unauthorized forwarding rules, you can remove them manually or automate their removal.

V – Best Practices for Enhanced Security

• Enable Microsoft Defender for Office 365 to detect suspicious email behaviors.
• Configure alerts in Microsoft 365 Security & Compliance Center to notify administrators of unauthorized auto-forwarding attempts.
• Educate users about phishing risks and encourage the use of Multi-Factor Authentication (MFA) to prevent account compromise.

VI – Conclusion

Blocking auto-forwarding rules in Exchange Online is a critical step in preventing data exfiltration and protecting organizational security. By implementing mail flow rules, disabling forwarding at the tenant level, or creating outbound policy, organizations can significantly reduce the risk of unauthorized data leaks.

By taking proactive measures, IT administrators can ensure that sensitive information remains within their control, enhancing the overall security posture of their Microsoft 365 environment.

Stay secure, stay protected 🔒

Thanks