Should you disable external email auto-forwarding?

Mail rules can be abused by attackers to get stealthy, persistent access to a mailbox, leak data and facilitate high-impact Business Email Compromise (read more here). So, lots of organisations decide to ban external auto-forwarding of email altogether. The question is, is this a good move?

This is damage limitation, not prevention

It’s important to recognise that adding a malicious mail rule to a user’s mailbox is a post-compromise activity. That is, an attacker has already compromised the victim somehow - compromised their password, deployed malware on their machine, performed consent phishing etc. - they already have access to their mailbox. At this point, you should assume all data in the mailbox is compromised anyway. (See here for “what to do if I find a malicious mail rule?”)

Preventing external auto-forwarding rules therefore reduces further potential impact to a compromised account - worth doing if no one is using the feature, but what if your users are?

Security vs. user experience

Good security should enable a business and its users to work securely rather than constrain it. Controls that restrict users’ productivity or are seen as a nuisance will be bypassed and although you might prevent a potential attack type, you’ll ultimately cause less secure behaviour from your users.

With that in mind, if external auto-forwarding of email is something your users need - and there are plenty of legitimate scenarios where this may be the case - you should be considering how to manage the risk, rather than eliminate it. The good news is this is totally doable. Equally, if none, or most of your users don’t need this feature, you should of course disable it to reduce your overall risk.

Managing the risk on Exchange Online for Microsoft 365 through detection alone

Managing the risk of external auto-forwarding email rules means making sure you’re alerted when one is created. 

If you’re using Exchange Online for Microsoft 365, an informational alert policy - “Creation of forwarding/redirect rule” - can be enabled so alerts of this type of suspicious rules will be sent to tenant admins when they are created in future. 

/prod

The downside of this approach is it isn’t possible to look retrospectively (without using PowerShell) so alerts will only fire on future creation of forwarding rules. Additionally, alerts also fire for internal forwarding rules which can generate a lot of noise when looking specifically for malicious rules. 

Managing the risk on Exchange Online for Microsoft 365  through detection & prevention

In addition to being alerted when rules are created, you can take steps to either disallow external auto-forwarding rules altogether, or prevent them taking effect. You might think disallowing their creation is better but if you can permit creation but stop them from taking effect, you keep a high-fidelity detection of account compromise, without adding any additional risk.

In Exchange Online for Microsoft 365, you can achieve this with outbound spam filter policies to automatically stop any emails auto-forwarded out of your organisation. If an attacker creates a malicious auto-forwarding rule, any forwarded mail will be blocked by the spam filter; if you have your alerts set up correctly, you’ll still receive an alert about the new malicious rule.

Managing the risk on Gmail for Google Workspace

Google Workspace only allows complete prevention, such that your users (and attackers) are not able to create forwarding settings. If you decide that is right for you, you can disable automatic forwarding entirely by following these instructions.

Managing the risk using the Push platform

Using the Push platform makes managing this risk a lot easier with less of your time:

• Connect your platform with a few clicks and we’ll sweep your estate for any suspicious rules currently in place.

• Get alerts via email or ChatOps (Slack or Teams) when new rules are created. Triage and deal with them directly from the email or chat platform.

• Use our ChatOps features to ask users directly if they recognise a rule when you’re unsure. You can even automate this so user feedback is already collected by the time you come to triage.

• Disable rules directly from the platform for quick response.

• Follow our detailed and clear guides for how to respond comprehensively.

Conclusion

If your users don’t use external email auto-forwarding, it makes sense to prevent the feature to limit the impact of a malicious mail rule. However, if there are legitimate business reasons for keeping the feature active, this risk can be sufficiently managed through detection.