Email Forwarding – An Attack Vector
We are in a time of never-ending social engineering attacks coming to us over email – Phishing. One very effective, though seldom discussed, method occurs when a recipient clicks on a malicious email and nothing apparent happens. What has actually happened is that a client-side forwarding rule is created to forward some or all emails to an external email address. From those emails the attacker can attempt to glean insight about internal systems, user credentials, and even sensitive corporate data. Clearly it is in the best interests of your business to begin setting email-forwarding restrictions to establish who is permitted to perform email forwarding and who they are allowed to forward messages to.
Outbound SPAM Protection
Protecting against unwanted or unintentional forwarding outside the Office 365 tenant is relatively easy. An outbound spam policy already exists; this is what you’ll use to protect yourself from attacks that generate forwarding rules.
This link will take you directly to the anti-spam protection settings. Once there, expand the Threat Management section and click Policy. If this is your first visit, you’ll see the four default policies. You can’t turn any of them off, but you can edit them. Expand and then edit the outbound spam filter policy.
To implement, we recommend you set the built-in outbound spam protection policy to not allow forwarding and create a new policy. This is because the default policy doesn’t provide any “Applied To” and “Exceptions” conditions where you might want to have certain users or accounts forward information to external addresses. Custom policies take precedence, so setting a deny-forwarding control to the default has no effect on any custom policies you might create.

Editing this policy allows you to disable automatic forwarding. The default setting is “System Controlled” which essentially means “on.” Change this to “off.”
As can be seen below, the custom policy includes additional sections that enable you to add users or domains into the conditions section (and then the exceptions section) if necessary.

In addition to placing restrictions on which account can perform forwarding, the policy also permits two other features. The first one is for notifications. This allows you to send a copy of a suspicious outbound message to another address for analysis. Also, you can configure the policy to alert another person to notify them that a forwarding attempt has happened, allowing them to take remedial action.
The final options are all about limits. These can be really useful in an environment where a service generates messages throughout the day and sends them outside the Office 365 tenant. Receiving systems could very easily interpret an incessant stream of messages as spam, bulk, or some other category. And in today’s climate it doesn’t take much to get your domain blacklisted. If (and only if) the emails are being generated in a non-time-sensitive manner, you can use quiet (non-working) hours to slow-flow messages out so they get to where they need to be, with minimal risk of being blacklisted as spam. Of course, it’s sensible for recipient systems to whitelist the email address and/or sending IP addresses—but that’s outside your control, so it pays to do all you can to protect your domain.

In conclusion, as phishing attacks get ever-more subtle (and their spelling and grammar improve), it gets harder to keep the bad stuff from coming in, and the fallout from attacks from getting out. Leveraging the Advanced Threat Protection feature to control which accounts can forward messages is a useful tool in the wider fight to protect the integrity of your corporate information. Finally, if you have any questions about ensuring the security of your Office 365 email (or anything else), we at Anexinet would be happy to talk with you. Please feel free to reach out to us at any time. We’d love to help keep you safe.
by Mark Arnold

Mark Arnold
Microsoft Architect
For over two decades, Mark Arnold has worked for IT outsourcing and consulting organizations in both the US and UK, leveraging Microsoft’s
infrastructure solutions for large organizations. Mark is currently a delivery architect with Anexinet, focused on Microsoft Exchange and Office 365.
© 2000 - 2021 Anexinet Corp., All rights reserved | Privacy Policy | Cookie Policy