Office365 Auto-Forwarding Policy and Exceptions [CHK-1049]
This check verifies if the auto-forwarding policy is active and correctly configured to only allow specific users to automatically forward emails. It also ensures that the list of users allowed to forward is in sync with the exceptions submitted to Attic.
Rationale
Attackers often abuse auto-forwarding rules in Business Email Compromise (BEC) or CEO fraud. They gain access to an employee's mailbox, forward all emails to themselves, and use the information to send misleading emails with the aim of transferring money to themselves. Therefore, auto-forwarding should be restricted and only allowed as an exception.
Fix
An automated fix is available through Attic.
Manual steps:
- Connect to Exchange Online via
Connect-ExchangeOnline. - Create a "Hosted outbound spam filter policy" with the following settings:
New-HostedOutboundSpamFilterPolicy -Name "[ATTIC] auto forward policy" -AutoForwardingMode="On"
- Create a rule to apply this policy to the selected users
New-HostedOutboundSpamFilterRule -Name "[ATTIC] auto forward rule" -HostedOutboundSpamFilterPolicy="[ATTIC] auto forward policy" -From=@("user1@example.com", "user2@example.com")
- Disallow the rest of the users to use this policy.
Set-HostedOutboundSpamFilterPolicy -Identity "Default" -AutoForwardingMode="Off"
Impact
This fix blocks the ability to automatically forward emails and allows it for an explicit list of users. It ensures that the users allowed to forward are in sync with the exceptions that were submitted to Attic, enhancing the organization's protection against BEC and CEO fraud.