Introduction #
Automatic email forwarding is one of the possible and still most common way (sensitive) company data might leave the organization. Giving the users the ability to automatically forward emails using either mailbox forwarding or message rules to users outside the organization in that case can be very risky. I’ve seen many cases where corporate email accounts were configured to automatically forward all email to personal gmail.com or hotmail.com accounts.
It’s also commonly known that if a user somehow gets compromised, hackers usually put a forward on the mailbox of the user in order to gain knowledge about the user in order further continue with their attack methods, or to retrieve sensitive company data for their own gains
We recommend you disable Automatic email forwarding to external domains.
User Impact #
Medium
Disabling the Automatic email forwarding to external domains will stop any emails from automatically being forwarded outside your organisation (using rules). Users will still be able to forward emails manually outside the organisation.
Admin Portal Reference #
In the Microsoft 365;
- Go to the Security & Compliance Centre
- In the left navigation, expand Threat management, and select Policy
- Select Anti-Spam
- Expand the Outbound spam filter policy and click Edit Policy
- Expand Automatic Forwarding and in the dropdown, set Automatic forwarding enabled to Off – Forwarding is disabled and click Save.


If Action is set to Notify #
We report the setting is compliant if Allow users to automatically forward messages outside the organization is set to Off.
We report the setting is non-compliant if Allow users to automatically forward messages outside the organization is set to On or Automatic.
If Action is set to Enforce #
We report the setting is compliant if Allow users to automatically forward messages outside the organization is set to Off.
We report the setting is compliant-fixed if Allow users to automatically forward messages outside the organization was set to Automatic or On but has been changed to Off.