Information
The Exchange Online environment can be configured in a way that allows for automatic forwarding of e-mail. This can be done using Transport Rules in the Admin Center, Auto Forwarding per mailbox, and client-based rules in Outlook. Administrators and users both are given several methods to automatically and quickly send e-mails outside of your organization.
Rationale:
Reviewing mail forwarding rules will provide the Messaging Administrator with insight into possible attempts to exfiltrate data from the organization. Weekly review helps create a recognition of baseline, legitimate activity of users. This will aid in helping identify the more malicious activity of bad actors when/if they choose to use this side-channel.
Impact:
There is no impact to reviewing these reports.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To review mail forwarding rules:
Navigate to Exchange admin center https://admin.exchange.microsoft.com.
Expand Reports then select Mail flow.
Click on Auto forwarded messages report.
Review.
Note: Mail flow reports cannot be viewed from the Classic Exchange Admin Center
To review mail forwarding rules using PowerShell:
Connect to Exchange Online PowerShell using Connect-ExchangeOnline
# Uses the administrator user credential to export Mail forwarding rules, User Delegates
# and SMTP Forwarding policies to multiple csv files.
$allUsers = Get-User -ResultSize Unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox' } |
Where-Object {$_.AccountDisabled -like 'False'}
$UserInboxRules = @()
$UserDelegates = @()
foreach ($User in $allUsers) {
Write-Host 'Checking inbox rules and delegates for user: ' $User.UserPrincipalName
$UserInboxRules += Get-InboxRule -Mailbox $User.UserPrincipalName |
Select-Object Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage |
Where-Object { ($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null) }
$UserDelegates += Get-MailboxPermission -Identity $User.UserPrincipalName |
Where-Object { ($_.IsInherited -ne 'True') -and ($_.User -notlike '*SELF*') }
}
$SMTPForwarding = Get-Mailbox -ResultSize Unlimited |
Select-Object DisplayName, ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxandForward |
Where-Object {$_.ForwardingSMTPAddress -ne $null}
# Export list of inbox rules, delegates, and SMTP forwards
$UserInboxRules | Export-Csv MailForwardingRulesToExternalDomains.csv -NoTypeInformation
$UserDelegates | Export-Csv MailboxDelegatePermissions.csv -NoTypeInformation
$SMTPForwarding | Export-Csv Mailboxsmtpforwarding.csv -NoTypeInformation