Detections
Analytics

6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled

Information

Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:

 - Outlook forwarding using inbox rules.
 - Outlook forwarding configured using OOF rule.
 - OWA forwarding setting (ForwardingSmtpAddress).
 - Forwarding set by the admin using EAC (ForwardingAddress).
 - Forwarding using Power Automate / Flow.

Ensure a Transport rule and Anti-spam outbound policy are used to block mail forwarding.

NOTE: Any exclusions should be implemented based on organizational policy.

Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as a secondary channel to exfiltrate sensitive data.

Solution

Note: Remediation is a two step procedure as follows:

STEP 1: Transport rules

To remediate using the UI:

 - Select Exchange to open the Exchange admin center.
 - Select Mail Flow then Rules
 - For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

To remediate using PowerShell:

 - Connect to Exchange Online using Connect-ExchangeOnline
 - Run the following PowerShell command:

Remove-TransportRule {RuleName}

STEP 2: Anti-spam outbound policy

To remediate using the UI:

 - Navigate to Microsoft 365 Defender https://security.microsoft.com/
 - Expand E-mail & collaboration then select Policies & rules
 - Select Threat policies > Anti-spam
 - Select Anti-spam outbound policy (default)
 - Click Edit protection settings
 - Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
 - Repeat steps 4-6 for any additional higher priority, custom policies.

To remediate using PowerShell:

 - Connect to Exchange Online using Connect-ExchangeOnline
 - Run the following PowerShell command:

Set-HostedOutboundSpamFilterPolicy -Identity {policyName} -AutoForwardingMode Off <xhtml:ol start="3"> - To remove AutoForwarding from all outbound policies you can also run:

Get-HostedOutboundSpamFilterPolicy | Set-HostedOutboundSpamFilterPolicy -AutoForwardingMode Off

Impact:

Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: microsoft_azure

Control ID: fbcabd729e9ee97e8c4ee70ca3d20eb263390582ac63ae80dceed573f21befca