If you use Exchange Online, you will want to take some action right away to manage automatic external email forwarding. Why? Because Microsoft is rolling out an update to Exchange Online that will change the default behavior around this kind of external email forwarding. And you don’t want to get caught short when that happens, as early as September 1^st!

Here are the Details on the Advisory

Microsoft issued Advisory MC220853 a few days ago (the original announcement came in July). They announced that the default policy for automatic external email forwarding would be changed. The default setting will now be Off. (Right now, the default setting is System-controlled.) Once this policy default is changed, if someone sends an email to a user in your organization, who has set up an external auto-forward rule, two things will happen. Exchange Online will block the email from being forwarded. It will also send a non-delivery report to the original sender.

But what about users that need to forward mail outside the organization? Microsoft will implement a control that allows an administrator to set up automatic external email forwarding. That way, the administrator can set a default policy and still allow certain users to bypass it.

Note that automatic internal email forwarding will not be affected by this update.

What’s the Fuss with Automatic External Email Forwarding?

Automated email forwarding, especially to external email domains, is a common practice. It’s also questionable. I can think of one customer that receives invoices at one specific mailbox and forwards them to their contract bookkeeper for processing.

It’s also common to set up automatic email forwarding when a person leaves the organization. However, in this case the email is normally forwarded to another person in the organization. So, no harm done there.

A better practice would be to set up a shared mailbox and provide a license for the outside party, so they could log in and process the mail.

But the biggest problem with rules-based external email forwarding is—you guessed it—security. It’s common for a hacker to set up external email forwarding to an account they control. I’ve seen it many times. Given that no one may notice the account compromise, they may also miss the external email forwarding. In one case, the hacker set an Outlook rule that forwarded just emails with certain keywords to an outside account.

What Steps Should You Take to Manage Automatic External Email Forwarding?

Here’s what actions you want to take.

First, find out if there are any users that have automated external email forwarding set up. Yes, there’s a report for that. It’s called the auto-forwarded messages report (clever name, eh?). You can read about it here.

I ran the report for CGNET’s domain. You can see the results in the image below. Two of the entries are for long-ago CGNET employees. So, losing their external email forwarding is probably not going to be a problem. For the third person, we can set up a rule to allow this external email forwarding.

Automated external email forwarding that happens as a result of mail transport rules won’t be affected by the new anti-spam policy. So, you don’t need to worry about that variation of external email forwarding.

If you want to see more details about this email forwarding, you can run the forwarding report (named by the same people) for these users and get the details. Here’s an example.

Second, configure your outbound spam policy to allow or deny automatic external email forwarding. You can leave it in the (soon to be) default state of Off. Or you can turn it on. Either way, you can exempt selected users from the policy. The details about how to do this are here.

Disabling Automated External Email Forwarding is a Good Idea

We recommend that you disable automatic external email forwarding. Microsoft 365 has lots of protections for email that remains within the Exchange Online environment. These protections are lost once a user forwards their messages outside of that environment. If you do have users who have a real need to automatically forward emails to an external address, that’s OK. You can add them back as exceptions to the anti-spam rule that disables this external forwarding.

One thing I’ve learned in cybersecurity is that a tidy environment is a more secure environment. Disable automatic external email forwarding, deal with the exceptions, and cross this item your list of security issues to worry about.