Microsoft Defender Secure Score Recommended Action (RA) – Ensure all forms of mail forwarding are blocked and/or disabled

In the intricate landscape of organizational cybersecurity, one often overlooked vector for data leakage and unauthorized access is the seemingly innocuous feature of mail forwarding. Microsoft Defender’s Secure Score, a dynamic metric designed to evaluate and enhance the security posture of Microsoft 365 environments, identifies the control and restriction of mail forwarding as a pivotal action. This technical blog post aims to shed light on the criticality of “Ensuring all forms of mail forwarding are blocked and/or disabled” as recommended by Microsoft Defender Secure Score. 

Note: “Recommended action” Remediations as identified by “Microsoft 365 admin center Portal (https://portal.microsoft.com) \ Security \ Secure score \ Recommended actions” in a pristine baseline environment.

Rank Recommended action

43 Ensure all forms of mail forwarding are blocked and/or disabled

Microsoft Security Score

Before Mitigation:

After Mitigation:

Secure Score Improvement: +0.48%

General

Description

Exchange Online offers several methods of managing the flow of email messages.
These are Remote domain, Transport Rules, and Anti-spam outbound policies. These
methods work together to provide comprehensive coverage for potential automatic
forwarding channels:

• Outlook forwarding using inbox rules
• Outlook forwarding configured using OOF rule
• OWA forwarding setting (ForwardingSmtpAddress)
• Forwarding set by the admin using EAC (ForwardingAddress)
• Forwarding using Power Automate / Flow

NOTE:

• In this control, remediation is carried out in two stages – Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically.
• Any exclusions should be implemented based on organizational policy.

Rationale:
Attackers often create these rules to exfiltrate data from your tenancy, this could be
accomplished via access to an end-user account or otherwise. An insider could also use
one of these methods as a secondary channel to exfiltrate sensitive data.

Implementation status

100% of users are affected by policies that are configured less securely than is recommended

• Default – 1 users (100%)

User impact

Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.

Users affected​

All of your Microsoft 365 users

Implementation

Prerequisites

You have Microsoft Defender for Office 365 P1.

Next steps

NOTE: In this control, remediation is carried out in two stages -Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

STEP 1: Transport rules

To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

1. Select Exchange to open the Exchange admin center.
2. Select Mail Flow then Rules.
3. For each rule that redirects email to external domains, select the rule and click the ‘Delete’ icon.

To perform remediation, you may also use the Exchange Online PowerShell
Module:

1. Connect to Exchange Online user Connect-ExchangeOnline.
2. Run the following PowerShell command:Remove-TransportRule {RuleName}
3. To verify this worked you may re-run the audit command as follows:Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
   Name,RedirectMessageTo

STEP 2: Anti-spam outbound policy

Configure an anti-spam outbound policy:

1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
2. Expand E-mail & collaboration then select Policies & rules.
3. Select Threat policies > Anti-spam.
4. Select Anti-spam outbound policy (default)
5. Click Edit protection settings
6. Set Automatic forwarding rules dropdown to Off – Forwarding is disabled and click Save
7. Repeat steps 4-6 for any additional higher priority, custom policies.

Learn more

Procedures for mail flow rules in Exchange Server | Microsoft LearnNOTE: In this control, remediation is carried out in two stages – Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

STEP 1: Transport rules

To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

1. Select Exchange to open the Exchange admin center.

1. Select Mail Flow then Rules.

1. For each rule that redirects email to external domains, select the rule and click the ‘Delete‘ icon.

To perform remediation, you may also use the Exchange Online PowerShell Module:

1. Connect to Exchange Online user Connect-ExchangeOnline.
2. Run the following PowerShell command:Remove-TransportRule {RuleName}
3. To verify this worked you may re-run the audit command as follows:Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft Name,RedirectMessageTo

STEP 2: Anti-spam outbound policy

Configure an anti-spam outbound policy:

1. Navigate to Microsoft 365 Defender https://security.microsoft.com/

1. Expand E-mail & collaboration then select Policies & rules.

1. Select Threat policies > Anti-spam.

1. Select Anti-spam outbound policy (Default)

1. Click Edit protection settings

1. Set Automatic forwarding rules dropdown to Off – Forwarding is disabled and click Save

1. Repeat steps 4-6 for any additional higher priority, custom policies.

Mitigation

The Corrective Action for 43- Ensure all forms of mail forwarding are blocked and/or disabled