In 2020, Microsoft announced that external email forwarding had been identified as a tactic that attackers have been using more frequently to compromise data from an organization. For example, if we have a compromised account, the attacker might create a forwarding rule for a particular mailbox, and the user might be unaware that their mail is being forwarded. It is therefore important for administrators to know all mailboxes that have forwarding enabled and where the mail is been forwarded to.

In an attempt to counter this attack, Microsoft has updated its Outbound Anti-Spam policies. Automatic forwarding can be configured by users creating inbox rules to automatically forward mail to external senders, or administrators can configure mail forwarding in the Exchange Admin Center. The MessageOps team recommends clients configure the outbound spam policy as appropriate for their organization, and enables external auto forwarding only for the users who require it.

The below options from within the outbound spam filter policy settings are now used to control the flow of mail forwarded to external recipients:

  • Automatic: Automatic external forwarding is blocked. Internal automatic forwarding of messages will continue to work. This is the default setting.
  • On: Automatic external forwarding is allowed and not restricted.
  • Off: Automatic external forwarding is disabled and will result in a non-delivery report (also known as an NDR or bounce message) to the sender.

Email forwarding in Exchange online

The MessageOps Help Desk recently received multiple tickets regarding these settings. Many administrators noticed the inability to forward mail from their tenant to any user externally, but were unaware of any recent changes made to their environment to limit this action. Once contacted, the MessageOps Service Desk team looked into the issue, and immediately noticed the Automatic option setting was selected.

Upon further communication with the administrators, MessageOps agreed to reach out and collaborate with Microsoft to determine how to best inform our clients of these changes. During our discussion with Microsoft, we determined that as service continues moving towards greater security by default, the Automatic setting will behave as Off and automatic forwarding will not work. Again, the recommendation is that all clients should configure the outbound spam policy as appropriate for their organization and enable external auto forwarding only for the users who require it.  This can be done by leaving the default policy in a disabled state, and creating another policy that allows forwarding, and assign the policy to the specific mailboxes/users only.

For more information, visit the Microsoft Exchange Team Blog.

Looking for an easy way to administer Office 365? Try Inscape for FREE

Get Excellent Exchange Online Support from MessageOps

Make MessageOps your Office 365 partner to benefit from 24x7x365 U.S. based support, plus many other value added tools and services to help you get the most out of your Microsoft investment. Contact the MessageOps team at 877-788-1617, or submit an online request form.

Was this article helpful?