Office365 Auto-Forwarding Policy and Exceptions [CHK-1049]
This check is the second half of a two-part control (together with CHK-1036) that restricts automatic email forwarding to a specific allow-list of users.
CHK-1049 verifies that the Hosted Outbound Spam Filter is configured so that the Default policy blocks auto-forwarding for everyone, while a dedicated [ATTIC] auto forward policy allows it only for the users listed in the autoforwardwhitelist configuration. The check also verifies that the rule's allow-list stays in sync with the exceptions submitted to Attic.
Rationale
Attackers often abuse auto-forwarding rules in Business Email Compromise (BEC) or CEO fraud. They gain access to an employee's mailbox, forward all emails to themselves, and use the information to send misleading emails with the aim of transferring money to themselves. Therefore, auto-forwarding should be restricted and only allowed as an exception.
Fix
An automated fix is available through Attic.
Prerequisite: CHK-1036 must be applied first. The Default Remote Domain in Exchange Online is a tenant-wide on/off switch that sits in front of the Hosted Outbound Spam Filter. If AutoForwardEnabled is still $false on that Remote Domain, Exchange Online will block auto-forwarding for everyone before this policy is ever evaluated — making the configuration below appear to do nothing.
Manual steps:
- Connect to Exchange Online via
Connect-ExchangeOnline. - Create a "Hosted outbound spam filter policy" with the following settings:
New-HostedOutboundSpamFilterPolicy -Name "[ATTIC] auto forward policy" -AutoForwardingMode="On"
- Create a rule to apply this policy to the selected users.
New-HostedOutboundSpamFilterRule -Name "[ATTIC] auto forward rule" -HostedOutboundSpamFilterPolicy="[ATTIC] auto forward policy" -From=@("user1@example.com", "user2@example.com")
- Disallow the rest of the users to use this policy.
Set-HostedOutboundSpamFilterPolicy -Identity "Default" -AutoForwardingMode="Off"
Impact
This fix blocks the ability to automatically forward emails and allows it for an explicit list of users. It ensures that the users allowed to forward are in sync with the exceptions that were submitted to Attic, enhancing the organization's protection against BEC and CEO fraud.
More Information
-
- See also CHK-1036 (the Remote Domain layer — must be enabled for this check to work).
- Protection against BEC and CEO Fraud
- Auto-forwarding in Office365
- Checks & Fixes
- Exceptions