Email Security/Exchange Online - Ensure All Forms of Mail Forwarding Are Blocked And/Or Disabled

 










Summary

The Exchange Online mail transport rules should be set such that, the emails cannot be forwarded to the domains outside of an organization. Automatic forwarding to prevent the users from auto-forwarding mail via Outlook or Outlook on the web should also be disabled, and the Client Rules Forwarding Block, which does not allow the use of any client-side rules that forward email to an external domain, should also be enabled.

Note- Any exclusions should be implemented according to an organizational policy.

Reason

Generally, attackers create these rules to exfiltrate data from a tenancy which could be accomplished via access to an end-user account or otherwise.

What If?

Before implementing the set up, it should be ensured that there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented according to the organizational policy.

How to?

Note- It is a three steps procedure as follows:

Step 1: Transport Rules
To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin center:
  1. Select Exchange.
  2. Select Mail Flow and Rules.
  3. For each rule that forwards email to external domains, select the rule and click the 'Delete' icon.

You may also use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

Remove-TransportRule  {RuleName}

       3. To verify this worked you may re-run the audit command as follows:

Get-TransportRule | Where-Object ($_.RedirectMessageTo - ne $null} | ft
Name,RedirectMessageTo

Step 2: Automatic Forwarding
To verify disable automatic forwarding using the Microsoft 365 Admin Center:
  1. Select Exchange under Admin centers.
  2. Under Mail flow pick Remote domains.
  3. Now, click on the default policy.
  4. Click Edit reply types in the pane on the right.
  5. Ensure Allow automatic forwarding is not checked.

You may also use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command to disable auto-forwarding to remote domains:

Set-RemoteDomain Default -AutoForwardEnabled $false

       3. Run the following PowerShell to verify AutoForwardEnabled is now set to False.

Get-RemoteDomain Default |  fl AllowedOOFType, AutoForwardEnabled

Step 3: Block client rules for forwarding
To create the Client Rules Forwarding Block, use the Exchange Online PowerShell Module:

  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell commands to create a rule:

$rejectMessageText = "To improve security, auto-forwarding rules to external addresses have been disabled. Please contact your Microsoft Partner if you'd like to set up an exception."

New-TransportRule -name "Client Rules To External Block" -Priority 0 - SentToScope NotInOrganization -MessageTypeMatches AutoForward -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText $rejectMessageText

  • Note that Client Rules To External Block is a placeholder name, and can be named according to the preference.

       3. Verify that Client Rules To External Block or the other named preference rule is created.

Monitor:

Note- It is a three steps procedure as follows:

Step 1: Transport Rules
To verify the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin center:
  1. Select Exchange.
  2. Select Mail Flow and Rules.
  3. Review the rules and verify that none of them are forwards to external domains.

To verify that no rules are forwarding the email to external domains, you may also use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command to review the Transport Rules that are redirecting email:

Get-TransportRule | Where-Object ($_.RedirectMessageTo - ne $null} |  ft
Name,RedirectMessageTo

       3. Verify that none of the addresses are going to external domains.

Step 2: Automatic Forwarding
To verify automatic forwarding is disabled using the Microsoft 365 Admin Center:
  1. Select Exchange under Admin centers.
  2. Under Mail flow pick Remote domains.
  3. Now, click on the default policy.
  4. Click Edit reply types in the pane on the right.
  5. Ensure Allow automatic forwarding is not checked.

You may also use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command to find if auto-forwarding is enabled to remote domains:

Get-RemoteDomain Default |  fl AllowedOOFType, AutoForwardEnabled

       3. Review the AutoForwardEnabled parameter, and verify it is set to False.

Step 3: Block client rules for forwarding
To verify the Client Rules Forwarding Block is enabled, use the Microsoft 365 Admin Center:
  1. Go to Exchange Admin centers.
  2. Select Mail flow.
  3. Select Rules.
  4. Verify that 'Client Rules To External Block' exists.
To verify the Client Rules Forwarding Block is enabled, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command:
Get-TransportRule | Where-Object ($_.Identity -like '*Client Rules To External Block*'}
  • Note that Client Rules To External Block is a placeholder for the name of said rule.

       3. Verify that Client Rules To External Block is set to Enabled.



























































Comments

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

Work with String Data Using KQL Statements

Threat Hunting in Microsoft Sentinel (part 1)