Detections
Analytics

6.2.1 Ensure all forms of mail forwarding are blocked and/or disabled

Information

Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:

Outlook forwarding using inbox rules.

Outlook forwarding configured using OOF rule.

OWA forwarding setting (ForwardingSmtpAddress).

Forwarding set by the admin using EAC (ForwardingAddress).

Forwarding using Power Automate / Flow.

Ensure a Transport rule and Anti-spam outbound policy are used to block mail forwarding.

NOTE: Any exclusions should be implemented based on organizational policy.

Rationale:

Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as a secondary channel to exfiltrate sensitive data.

Impact:

Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Note: Remediation is a two step procedure as follows:

STEP 1: Transport rules

To alter the mail transport rules so they do not forward email to external domains using the UI:

Select Exchange to open the Exchange admin center.

Select Mail Flow then Rules.

For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

To remediate using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell command:

Remove-TransportRule {RuleName}

STEP 2: Anti-spam outbound policy

To configure an anti-spam outbound policy using the UI:

Navigate to Microsoft 365 Defender https://security.microsoft.com/

Expand E-mail & collaboration then select Policies & rules.

Select Threat policies > Anti-spam.

Select Anti-spam outbound policy (default)

Click Edit protection settings

Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save

Repeat steps 4-6 for any additional higher priority, custom policies.

To remediate using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell command:

Set-HostedOutboundSpamFilterPolicy -Identity {policyName} -AutoForwardingMode Off

To remove AutoForwarding from all outbound policies you can also run:

Get-HostedOutboundSpamFilterPolicy | Set-HostedOutboundSpamFilterPolicy -AutoForwardingMode Off

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: microsoft_azure

Control ID: 51b97e39c40ee96da39ca5ad7a7f5c40c0664ed4e3c39ad2ed8c88ac93f60796