Preventing Email Auto-forwarding in Office365 [CHK-1036]
This check ensures that automatic email forwarding to external addresses is disabled in Office365, specifically in Exchange Online.
Rationale
Attackers often exploit automatic forwarding rules in Business Email Compromise (BEC) or CEO fraud. They gain access to an employee's mailbox, auto-forward all emails to themselves, and use the information to send misleading emails with the intent of financial gain. Therefore, restricting auto-forwarding to external addresses is crucial for organizational security.
Fix
An automated fix is available through Attic.
Manual steps:
- Connect to Exchange Online via
Connect-ExchangeOnline. - Run the following command:
Set-RemoteDomain -Identity "Default" -AutoForwardEnabled $false
Impact
Blocking automatic forwarding in Office365 prevents potential BEC and CEO fraud, enhancing the overall security of your organization's email communication.
More Information
Exceptions to this rule can be managed via the configuration option "autoforwardwhitelist" in Attic, where users for whom auto-forwarding should be allowed can be specified with their email address.