Detections
Analytics
4.3 Ensure all forms of mail forwarding are blocked and/or disabled
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:Outlook forwarding using inbox rules
Outlook forwarding configured using OOF rule
OWA forwarding setting (ForwardingSmtpAddress)
Forwarding set by the admin using EAC (ForwardingAddress)
Forwarding using Power Automate / Flow
Ensure a Transport rule and Anti-spam outbound policy are used to block mail forwarding.
NOTE: Any exclusions should be implemented based on organizational policy.
Rationale:
Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as an secondary channel to exfiltrate sensitive data.
Impact:
Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
NOTE: Remediation is a two step procedure as follows:STEP 1: Transport rules
To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:
Select Exchange to open the Exchange admin center.
Select Mail Flow then Rules.
For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.
To perform remediation you may also use the Exchange Online PowerShell Module:
Connect to Exchange Online user Connect-ExchangeOnline.
Run the following PowerShell command:
Remove-TransportRule {RuleName}
To verify this worked you may re-run the audit command as follows:
Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft Name,RedirectMessageTo
STEP 2: Anti-spam outbound policy
Configure an anti-spam outbound policy:
Navigate to Microsoft 365 Defender https://security.microsoft.com/
Expand E-mail & collaboration then select Policies & rules.
Select Threat policies > Anti-spam.
Select Anti-spam outbound policy (default)
Click Edit protection settings
Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
Repeat steps 4-6 for any additional higher priority, custom policies.
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v2.0.0
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-7b.
Plugin: microsoft_azure
Control ID: a9c49a46da7624d943a7b6843307d43fc2189c0d304e9801be999a8ab10f7829