Detections
Analytics
5.7 Ensure mail forwarding rules are reviewed at least weekly
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
You should review mail forwarding rules to external domains at least every week.Rationale:
While there are lots of legitimate uses of mail forwarding rules, they are also a popular data exfiltration tactic for attackers. You should review them regularly to ensure your users' email is not being exfiltrated.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To review mail forwarding rules, use the Microsoft 365 Admin Center:Go to Exchange admin center.
Expand Reports then select Mail flow.
Click on Auto forwarded messages report.
Review
To review mail forwarding rules, use the following Powershell script:
Uses the administrator user credential to export Mail forwarding rules, User Delegates and SMTP Forwarding policies to multiple csv files. First connect to Exchange Online by using connect-exopssession
$allUsers = @()
$AllUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | select ObjectID, UserPrincipalName, FirstName, LastName, StrongAuthenticationRequirements, StsRefreshTokensValidFrom, StrongPasswordRequired, LastPasswordChangeTimestamp | Where-Object {($_.UserPrincipalName -notlike '*#EXT#*')}
$UserInboxRules = @()
$UserDelegates = @()
foreach ($User in $allUsers)
{
Write-Host 'Checking inbox rules and delegates for user: ' $User.UserPrincipalName;
$UserInboxRules += Get-InboxRule -Mailbox $User.UserPrincipalname | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage | Where-Object {($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null)}
$UserDelegates += Get-MailboxPermission -Identity $User.UserPrincipalName | Where-Object {($_.IsInherited -ne 'True') -and ($_.User -notlike '*SELF*')}
}
$SMTPForwarding = Get-Mailbox -ResultSize Unlimited | select DisplayName,ForwardingAddress,ForwardingSMTPAddress,DeliverToMailboxandForward | where {$_.ForwardingSMTPAddress -ne $null}
# Export list of inboxRules, Delegates and SMTP Forwards
$UserInboxRules | Export-Csv MailForwardingRulesToExternalDomains.csv
$UserDelegates | Export-Csv MailboxDelegatePermissions.csv
$SMTPForwarding | Export-Csv Mailboxsmtpforwarding.csv
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v1.4.0
References: CSCv7|6.2
Plugin: microsoft_azure
Control ID: 2362dcd21ab0ddf95cd12f4b354da101480dcacde166a18de19a4aa5b93f4689