Table of Contents
Stop Forwarding Email Outside Exchange Online
There’s no doubt that automatically forwarding messages to an email address outside Office 365 can pose a significant risk for a business. Messages can end up in places where they shouldn’t go, including when an attack infiltrates an account and sets up forwarding on a mailbox by setting a mail forwarding address or with an inbox rule. In addition, removing email from Exchange Online compromises compliance and oversight because messages are no longer available for eDiscovery.
Various techniques exist to combat the problem, including:
- Restricting the ability of users to set forwarding addresses in OWA.
- Applying more general restrictions to block forwarding to specific domains.
- Blocking email forwarding from Power Automate (Flow).
These techniques work and all allow users to manually forward individual messages, but administrators must be aware of the problem caused by automatic forwarding and act to stop it. What’s different now is that Microsoft is making automatic forwarding more of an opt-in feature rather than forcing tenants to block automatic forwarding (roadmap item 63831) and make organizations more secure by default.
In some ways, it’s like the approach taken to disable basic authentication for Exchange connection protocols. Start by showing disapproval of something which contributes to insecure tenants and gradually escalate to close the hole.
Tuning Mail Forwarding in the Default Ant-Spam Outbound Filter Policy
A series of Office 365 notifications posted to the message center, starting with MC218984 (July) and more recently MC221113 (September), advised tenants of a change to the default outbound spam filter policy. The default outbound spam filter policy is present and active in all Exchange Online tenants.
First, Microsoft introduced automatic forwarding settings for anti-spam policies. The settings were inactive but allowed administrators to define how they wanted forwarding to happen. Tenants identified as having mailboxes with autoforwarding enabled also received notification that they had some work to do to decide how to handle these forwards. The next step was to enable the forwarding setting in the default anti-spam outbound policy using On as the Automatic (default) setting, meaning that mail forwarding acted as before.
This week, Microsoft changed the Automatic setting to Off to block mail forwarding. If you didn’t choose a different setting (possibly because you missed the notification), the Automatic setting is active. Some administrators overlooked the previous communications and were surprised when users began to report that forwarding doesn’t work. Life is full of surprises!
Mail Forwarding Settings
The available settings in anti-spam outbound policies to govern mail forwarding (Figure 1) are:
- Automatic: Exchange Online decides if mail forwarding is allowed or not. This is the default setting and normally means that users cannot forward email from Exchange Online mailboxes to external addresses.
- On: Users can forward email.
- Off: Users cannot forward email. Exchange will not change this value.
If automatic mail forwarding is blocked, users can still configure a mail forwarding address through OWA options (which is a good reason to remove the option from OWA) or create an inbox rule to redirect messages to an external address, but any attempt to send a message to that user which results in an attempted forward is rejected by the transport service and won’t be delivered. The sender receives an NDR to let them know about the problem (Figure 2).
The key thing for administrators to note is the NDR code: “5.7.520 Access denied. Your organization does not allow external forwarding.” Once you see this, you know a message was blocked by the outbound spam filter policy.
Allowing Automatic Forwarding for Specific Users
The default outbound spam policy is always active and cannot be disabled. If you want to stop mail forwarding in general and allow it for specific people, you should create a custom outbound spam filter policy and add the people and distribution lists to that policy. As you can see in Figure 3, SMTP addresses are used to specify people and distribution lists, not display names.
A Good Change to End a Bad Practice
There’s not much to argue about in this change. Automatically forwarding mail to an external address is not good practice. If someone really needs to forward email to an external address, they should be able to quantify the need in terms of a business justification to be added to a custom outbound spam filter policy. I doubt that many will be able to come up with such a justification, but those who do will be able to continue while the rest of the organization remains just a little bit safer.
Need to know more about the various policies used by Exchange Online to manage mail transport? It’s all described in the Office 365 for IT Pros eBook.
I definitely think this is good to be enabled by default, but its dumb MS didn’t allow forwarding that was setup via exch admin panel rules to not be affected by this. THanks for the info all the same.
MS have overwritten our settings, so we set this months ago to enable as we have external services which only work with forwarding.
low and behold that setting got reset.
Which was doubly annoying as for a week it wasn’t on or off it was some messages can be forwarded but not others with no discernible pattern.
At least MS won’t mess with this when set via exch admin, time to go though all the service mailboxes and set them up that way, save MS resetting the setting again.
Confused if this is only for cloud based mailboxes or if they can be directory snyced.
It was a great idea to just go and disable email forwarding for everybody. I wasn’t receiving emails from one of my inboxes for a month, almost lost a customer. Very reliable service.
Perhaps this also underlines the need to keep an eye on the changes happening in the service so that you understand the potential impact on your business?
That is snide and inappropriate answer. Microsoft sends out dozens of Office 365 announcements per week. This was buried in them. Most small and medium business don’t have enough IT time to process every change made. This is extremely common pattern for use with third party services, especially customer support. Not just people who want things in the gmail inbox. Breaking changes like this should never be applied without user consent or at least very serious and repeated warnings. This was not handled appropriately in anyway.
Why snide? I merely report the facts. If you use a service, you need to keep an eye on what’s happening. This change is linked to a more general project to make Exchange Online secure by default and to close off holes exploited by hackers. I told to my view that you need to keep an eye on things if you don’t want to be surprised.
Our forwarding has also stopped working internally, so that if we set a forward for a user who has left to go to another internal account, nada. I thought this is only for forwarding to external accounts?
That’s certainly the way it is designed to work. Is the address set up for forwarding using a domain that isn’t “owned” by Office 365?
I realized after posting that this could possibly be a Mimecast level interruption so looking into that now. Thanks for the informative article.
I’m surprised that disabling automatic forwarding doesn’t actually prevent users from setting up forwarding. It just silently stops email leaving or arriving at their mailbox from their perspective (leaving no way to communicate with them what’s happened). I know that users sending mail to the mailbox get a bounce back but the user with forwarding set up will never know what went wrong.
You can block people setting up autofowarding in OWA: https://petri.com/stop-owa-users-autoforwarding-email
So now by default, Outlook notifies the end user of their mail being forwarded even if it’s been done at an administrative level from the console. If a user is leaving and the employer wants to keep an eye on their emails this can cause an issue. IMO this should not have been done from Microsoft. I can understand it being done for OWA rule sets as this is common if your mail has been hacked for the hackers to do, however not from an admin level.
I agree with Justin G. Any IT Admin person has over a 101 things to cover off. We’re currently snowed under with Teams. MS send out so many updates even if you read them all you are struggling to understand every nuance until it jumps up an bites you. I think disabling Auto-forwarding by default is a good ide but finding exactly where in Office 365 and Azure Admin is also a nightmare. Unlike previous where user were caught, blocked and punished! there was an alert list where you “fix” their problem and “release” them. Not so now. They’re punished for a “day” no parole allowed by MS. This setting should be more tunable.
Any idea how to retrieve the messages that were blocked from forwarding but “save a copy” was not selected. I can see that there were 35 messages that attempted to auto-forward, but I need to retrieve them, not have them lost in never never land.
Aren’t the messages not in the user mailboxes?
If not, do a content search to find out where they are. I don’t think they should have been removed completely. If data was lost, that is a serious issue.
Bigger problem, that the system does not allow me to change the settings. It keeps saying: “Sorry! We couldn’t update your organization settings for now, but we will retry it in background. Please check back later.”
Any advice? Thx
Wait for EXO to apply the setting or contact Microsoft support…
Thank you, it worked later today!
EXO? I am having the same error. I have tried different browsers but still the same error. I need to turn on email forwarding for my API to talk with my other work platforms.
Use the Allowing Automatic Forwarding for Specific Users feature in the policy to permit the account you want to use to autoforward.
You need to have appropriate privileges. I have global admin privileges but even that wasn’t enough to be able to change the setting. I had to get the user with the admin account to change it.
Same here! why won’t it go through and save the enable forwarding function?
I have an user from other company, also in Exchange online, where forwarding was enabled and these emails are reaching my exchange, however all messages are being classified from my side as SPAM. Do you know if antispam in Office 365 is automatically marked this messages as SPAM because are forwarded? Thanks!
The messages should go through EOP in the other tenant and might have been marked as spam there. You’d have to look at the headers to see what’s in there.