Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Preventing Email Auto-forwarding in Office365 [CHK-1036]

This check is the first half of a two-part control that restricts automatic email forwarding to a specific allow-list of users. CHK-1036 covers the Remote Domain layer in Exchange Online; CHK-1049 then handles the fine-grained exceptions through the Hosted Outbound Spam Filter.

The Default remote domain is a tenant-wide on/off switch for automatic forwarding. When AutoForwardEnabled is set to $false on it, Exchange Online blocks auto-forwarding for every user — including people who are legitimately allowed to forward. To be able to carve out per-user exceptions through CHK-1049, this layer must be open. CHK-1036 therefore verifies and enforces that AutoForwardEnabled = $true on the Default remote domain. The actual blocking for everyone-except-the-allow-list then happens in CHK-1049.

Rationale

Attackers running Business Email Compromise (BEC) or CEO fraud are notorious abusers of automatic forwarding rules. They gain access to an employee's mailbox and silently auto-forward all incoming mail to themselves, leading to financial fraud and data leaks. Automatic forwarding of email outside the organization should therefore be tightly restricted, and only permitted by exception.

Fix

An automated fix is available through Attic. Make sure to enable CHK-1036 and CHK-1049 together — enabling only CHK-1036 will in fact allow forwarding at the remote-domain layer without the restriction from CHK-1049 on top of it.

Manual steps:

  1. Connect to Exchange Online via Connect-ExchangeOnline.
  2. Open the Remote Domain layer:
Set-RemoteDomain -Identity "Default" -AutoForwardEnabled $true
  1. Then apply CHK-1049 to block the Default Hosted Outbound Spam Filter policy and allow only a specific group of users to forward.

Impact

CHK-1036 on its own moves auto-forwarding to "allowed" at the remote-domain layer across the whole tenant. Only in combination with CHK-1049 does the desired end state take shape: only the users listed in autoforwardwhitelist can actually auto-forward emails, while every other user is blocked by the Default Hosted Outbound Spam Filter policy. This reduces BEC and CEO-fraud risk without breaking legitimate forwarding scenarios.

More Information

Users for whom auto-forwarding should be allowed can be specified by email address in the autoforwardwhitelist configuration option in Attic. Filtering is per mailbox (sender), not per domain. See CHK-1049 for the second half of this configuration.