4.3 Ensure all forms of mail forwarding are blocked and/or disabled

Information

You should set your Exchange Online mail transport rules to not forward email to domains outside of your organization. Automatic forwarding to prevent users from auto-forwarding mail via Outlook or Outlook on the web should also be disabled. Alongside this Client Rules Forwarding Block, which prevents the use of any client-side rules that forward email to an external domain, should also be enabled.

NOTE: Any exclusions should be implemented based on organizational policy.

Rationale:

Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise.

Impact:

Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

NOTE: Remediation is a three step procedure as follows:
STEP 1:
To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

Select Exchange.

Select Mail Flow and Rules.

For each rule that forwards email to external domains, select the rule and click the 'Delete' icon.

To perform remediation you may also use the Exchange Online PowerShell Module:

Connect to Exchange Online user Connect-ExchangeOnline.

Run the following Powershell command:

Remove-TransportRule {RuleName}

To verify this worked you may re-run the audit command as follows:

Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft Name,RedirectMessageTo

STEP 2:
To perform remediation you may use the Exchange Online PowerShell Module:

Connect to Exchange online using Connect-ExchangeOnline.

Run the following Powershell to disable auto-forwarding to remote domains:

Set-RemoteDomain Default -AutoForwardEnabled $false

Run the following Powershell to verify AutoForwardEnabled is now set to False.

Get-RemoteDomain Default | fl AllowedOOFType, AutoForwardEnabled

STEP 3:
To create the Client Rules Forwarding Block, use the Exchange Online PowerShell Module:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following Exchange Online PowerShell commands to create a rule:

$rejectMessageText = 'To improve security, auto-forwarding rules to external addresses have been disabled. Please contact your Microsoft Partner if you'd like to set up an exception.'

New-TransportRule -name 'Client Rules To External Block' -Priority 0 -SentToScope NotInOrganization -FromScope InOrganization -MessageTypeMatches AutoForward -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText $rejectMessageText

Note that Client Rules To External Block is a placeholder name, this may be named based on preference.

Verify that Client Rules To External Block or other named preference rule is created.

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CSCv7|7

Plugin: microsoft_azure

Control ID: a86c61edc41321c747dcd4d724f19c3a3c7499714346938b3c00c1fa9f62553e