Microsoft Clamps Down on Automatic Mail Forwarding in Exchange Online

Stop Email Going Outside Exchange Online

There’s no doubt that automatically forwarding messages to an email address outside Office 365 can pose a significant risk for a business. Messages can end up in places where they shouldn’t go, including when an attack infiltrates an account and sets up forwarding on a mailbox by setting a mail forwarding address or with an inbox rule. In addition, removing email from Exchange Online compromises compliance and oversight because messages are no longer available for eDiscovery.

Various techniques exist to combat the problem, including:

These techniques work and all allow users to manually forward individual messages, but administrators must be aware of the problem caused by automatic forwarding and act to stop it. What’s different now is that Microsoft is making automatic forwarding more of an opt-in feature rather than forcing tenants to block automatic forwarding (roadmap item 63831) and make organizations more secure by default.

In some ways, it’s like the approach taken to disable basic authentication for Exchange connection protocols. Start by showing disapproval of something which contributes to insecure tenants and gradually escalate to close the hole.

Tuning Mail Forwarding in the Outbound Spam Filter Policy

A series of Office 365 notifications posted to the message center, starting with MC218984 (July) and more recently MC221113 (September), advised tenants of a change to the default outbound spam filter policy. The default outbound spam filter policy is present and active in all Exchange Online tenants.

First, Microsoft introduced automatic forwarding settings in the policy. The settings were inactive but allowed administrators to define how they wanted forwarding to happen. Tenants identified as having mailboxes with autoforwarding enabled also received notification that they had some work to do to decide how to handle these forwards. The next step was to enable the forwarding setting in the outbound spam filter policy using On as the Automatic (default) setting, meaning that mail forwarding acted as before.

This week, Microsoft changed the Automatic setting to Off to block mail forwarding. If you didn’t choose a different setting (possibly because you missed the notification), the Automatic setting is active. Some administrators overlooked the previous communications and were surprised when users began to report that forwarding doesn’t work. Life is full of surprises!

Mail Forwarding Settings

The available settings to govern mail forwarding (Figure 1) are:

  • Automatic: Exchange Online decides if mail forwarding is allowed or not. This is the default setting and normally means that users cannot forward email from Exchange Online mailboxes to external addresses.
  • On: Users can forward email.
  • Off: Users cannot forward email. Exchange will not change this value.
Automatic forwarding settings in the Exchange Online outbound spam filter policy
Figure 1: Automatic forwarding settings in the Exchange Online outbound spam filter policy

If automatic mail forwarding is blocked, users can still configure a mail forwarding address through OWA options, but any attempt to send a message to that user results is rejected by the transport service and won’t be delivered. The sender receives an NDR to let them know about the problem (Figure 2).

A message sent to a mailbox with forwarding configured is rejected with an NDR
Figure 2: A message sent to a mailbox with forwarding configured is rejected with an NDR

The key thing for administrators to note is the NDR code: “5.7.520 Access denied. Your organization does not allow external forwarding.” Once you see this, you know a message was blocked by the outbound spam filter policy.

Allowing Automatic Forwarding for Specific Users

The default outbound spam policy is always active and cannot be disabled. If you want to stop mail forwarding in general and allow it for specific people, you should create a custom outbound spam filter policy and add the people and distribution lists to that policy. As you can see in Figure 3, SMTP addresses are used to specify people and distribution lists, not display names.

Configuring a custom outbound spam filter policy
Figure 3: Configuring a custom outbound spam filter policy

A Good Change to End a Bad Practice

There’s not much to argue about in this change. Automatically forwarding mail to an external address is not good practice. If someone really needs to forward email to an external address, they should be able to quantify the need in terms of a business justification to be added to a custom outbound spam filter policy. I doubt that many will be able to come up with such a justification, but those who do will be able to continue while the rest of the organization remains just a little bit safer.

Need to know more about the various policies used by Exchange Online to manage mail transport? It’s all described in the Office 365 for IT Pros eBook.

5 Replies to “Microsoft Clamps Down on Automatic Mail Forwarding in Exchange Online”

  1. I definitely think this is good to be enabled by default, but its dumb MS didn’t allow forwarding that was setup via exch admin panel rules to not be affected by this. THanks for the info all the same.

  2. MS have overwritten our settings, so we set this months ago to enable as we have external services which only work with forwarding.
    low and behold that setting got reset.
    Which was doubly annoying as for a week it wasn’t on or off it was some messages can be forwarded but not others with no discernible pattern.
    At least MS won’t mess with this when set via exch admin, time to go though all the service mailboxes and set them up that way, save MS resetting the setting again.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.