Stop Email Going Outside Exchange Online
There’s no doubt that automatically forwarding messages to an email address outside Office 365 can pose a significant risk for a business. Messages can end up in places where they shouldn’t go, including when an attack infiltrates an account and sets up forwarding on a mailbox by setting a mail forwarding address or with an inbox rule. In addition, removing email from Exchange Online compromises compliance and oversight because messages are no longer available for eDiscovery.
Various techniques exist to combat the problem, including:
- Restricting the ability of users to set forwarding addresses in OWA.
- Applying more general restrictions to block forwarding to specific domains.
- Blocking email forwarding from Power Automate (Flow).
These techniques work and all allow users to manually forward individual messages, but administrators must be aware of the problem caused by automatic forwarding and act to stop it. What’s different now is that Microsoft is making automatic forwarding more of an opt-in feature rather than forcing tenants to block automatic forwarding (roadmap item 63831) and make organizations more secure by default.
In some ways, it’s like the approach taken to disable basic authentication for Exchange connection protocols. Start by showing disapproval of something which contributes to insecure tenants and gradually escalate to close the hole.
Tuning Mail Forwarding in the Outbound Spam Filter Policy
A series of Office 365 notifications posted to the message center, starting with MC218984 (July) and more recently MC221113 (September), advised tenants of a change to the default outbound spam filter policy. The default outbound spam filter policy is present and active in all Exchange Online tenants.
First, Microsoft introduced automatic forwarding settings in the policy. The settings were inactive but allowed administrators to define how they wanted forwarding to happen. Tenants identified as having mailboxes with autoforwarding enabled also received notification that they had some work to do to decide how to handle these forwards. The next step was to enable the forwarding setting in the outbound spam filter policy using On as the Automatic (default) setting, meaning that mail forwarding acted as before.
This week, Microsoft changed the Automatic setting to Off to block mail forwarding. If you didn’t choose a different setting (possibly because you missed the notification), the Automatic setting is active. Some administrators overlooked the previous communications and were surprised when users began to report that forwarding doesn’t work. Life is full of surprises!
Mail Forwarding Settings
The available settings to govern mail forwarding (Figure 1) are:
- Automatic: Exchange Online decides if mail forwarding is allowed or not. This is the default setting and normally means that users cannot forward email from Exchange Online mailboxes to external addresses.
- On: Users can forward email.
- Off: Users cannot forward email. Exchange will not change this value.
If automatic mail forwarding is blocked, users can still configure a mail forwarding address through OWA options, but any attempt to send a message to that user results is rejected by the transport service and won’t be delivered. The sender receives an NDR to let them know about the problem (Figure 2).
The key thing for administrators to note is the NDR code: “5.7.520 Access denied. Your organization does not allow external forwarding.” Once you see this, you know a message was blocked by the outbound spam filter policy.
Allowing Automatic Forwarding for Specific Users
The default outbound spam policy is always active and cannot be disabled. If you want to stop mail forwarding in general and allow it for specific people, you should create a custom outbound spam filter policy and add the people and distribution lists to that policy. As you can see in Figure 3, SMTP addresses are used to specify people and distribution lists, not display names.
A Good Change to End a Bad Practice
There’s not much to argue about in this change. Automatically forwarding mail to an external address is not good practice. If someone really needs to forward email to an external address, they should be able to quantify the need in terms of a business justification to be added to a custom outbound spam filter policy. I doubt that many will be able to come up with such a justification, but those who do will be able to continue while the rest of the organization remains just a little bit safer.
Need to know more about the various policies used by Exchange Online to manage mail transport? It’s all described in the Office 365 for IT Pros eBook.