Control automatic external email forwarding in Microsoft 365
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
As an admin, you might have company requirements to restrict or control automatically forwarded messages to external recipients (recipients outside of your organization). Email forwarding can be useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners.
The following types of automatic forwarding are available in Microsoft 365:
- Users can configure Inbox rules to automatically forward messages to external senders (deliberately or as a result of a compromised account).
- Admins can configure mailbox forwarding (also known as SMTP forwarding) to automatically forward messages to external recipients. The admin can choose whether to simply forward messages, or keep copies of forwarded messages in the mailbox.
Users with automatic forwarding from on-premises email systems through Microsoft 365 will be subject to the same policy controls as cloud mailboxes in an upcoming update. This update will be communicated via Message Center post.
You can use outbound spam filter policies to control automatic forwarding to external recipients. Three settings are available:
- Automatic - System-controlled: This is the default setting. This setting is now the same as Off. When this setting was originally introduced, it was equivalent to On. Over time, thanks to the principles of secure by default, this setting was gradually changed to Off for all customers. For more information, see this blog post.
- On: Automatic external forwarding is allowed and not restricted.
- Off: Automatic external forwarding is disabled and will result in a non-delivery report (also known as an NDR or bounce message) to the sender.
For instructions on how to configure these settings, see Configure outbound spam filtering in EOP.
- Disabling automatic forwarding disables any Inbox rules (users) or mailbox forwarding (admins) that redirect messages to external addresses.
- Automatic forwarding of messages between internal users isn't affected by the settings in outbound spam filter policies.
How the outbound spam filter policy settings work with other automatic email forwarding controls
As an admin, you might have already configured other controls to allow or block automatic email forwarding. For example:
- Remote domains to allow or block automatic email forwarding to some or all external domains.
- Conditions and actions in Exchange mail flow rules (also known as transport rules) to detect and block automatically forwarded messages to external recipients.
When one setting allows external forwarding, but another setting blocks external forwarding, the block typically wins. Examples are described in the following table:
||Automatically forwarded messages to recipients in the affected domains are blocked.|
||Automatically forwarded messages to recipients in the affected domains are blocked.
As described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.
For absolute clarity, you should configure your outbound spam filter policy to On or Off.
||Automatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.|
You can use this behavior (for example) to allow automatic forwarding in outbound spam filter policies, but use remote domains to control the external domains that users can forward messages to.
How to find users that are automatically forwarding
You can see information about users that are automatically forwarding messages to external recipients in the Auto forwarded messages report for cloud-based accounts. For on-premises users that automatically forward from their on-premises email system through Microsoft 365, you need to create a mail flow rule to track these users. For instructions on how to create a mail flow rule, see Use the EAC to create a mail flow rule.
The following information is required to create the mail flow rule in the Exchange admin center (EAC):
Apply this rule if (condition): A message header > matches these text patterns. Note you might need to click More options to see this option.
- Header name:
- Header value:
The condition looks like this: 'X-MS-Exchange-Inbox-Rules-Loop' header matches '.'
This condition will match any value for the header.
- Header name:
(Optional) Do the following (action): You can configure an optional action. For example, you can use the action Modify the message properties > set a message header, with the header name X-Forwarded and the value True. But, configuring an action is not required.
Set Audit this rue with severity level to the value Low, Medium, or High. This setting allows you to use the Exchange transport rule report to get details of users that are forwarding.
Blocked email forwarding messages
When a message is detected as automatically forwarded, and the outbound spam filter policy blocks that activity, the message is returned to the sender in an NDR that contains the following information:
5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)