Email Forwarding is a challenge when it comes to modern attacks, and it was recently used as one of the tools in a crimecase in Sweden. Basically the attackers forwarded all emails from the victims to themselves to be able to track the victims very easily and to gain insights and data for social engineering attacks. Multifactor auth via e-mail or password reset links where obtained and could easly be used to manipulate and gain access.
Email forwarding can be created in Outlook or the the web application (OWA) by the users or an attacker with access to a user account.
The solution for this is very easy.
You can block email forwarding and redirects in general and allow it where it’s necessary (if you do have that scenario).
Block autoforward domain wide for Office 365 using PowerShell:
Set-RemoteDomain Default -AutoForwardEnabled $false
It is possible to configure this on a per domain basis.
For instance, if you need to allow forward to specific domain.
To view all forwarding rules today both on-prem and cloud you can use the following script.
The only difference is the connection part.
View the Rules
Function Get-AutoForwardRules
{
foreach ($a in (Get-Mailbox -ResultSize Unlimited |select PrimarySMTPAddress))
{
Get-InboxRule -Mailbox $a.PrimarySMTPAddress |
?{($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.DeleteMessage -eq $true) -or ($_.RedirectTo -ne $null)} |
select Name,Identity,ForwardTo,ForwardAsAttachmentTo, RedirectTo, DeleteMessage
}
}
#Example
Get-AutoForwardRules
To get the PowerShell module for office 365 which supports MFA.
Download the PowerShell Module (available in the 365 admin portal)
Connect using: Connect-EXOPSSession -UserPrincipalName user@example.com
Security Features in Office 365
Depending on your Office 365 Subscription you might get a warning email when someone tries to define a forwarding rule
This is an example for Exchange Online
$Mailboxes = Get-Mailbox -ResultSize "Unlimited"
$Count = 1
ForEach ($Mailbox in $Mailboxes)
{
Write-Progress -Activity "Checking inboxrules..." -Status "User $($Mailbox.PrimarySmtpAddress) ($count/$($Mailboxes.count))" -PercentComplete ($Count / $Mailboxes.count*100)
$MailboxWithRule = Get-InboxRule -Mailbox $Mailbox.Alias | Where-Object {($_.RedirectTo -ne $null) -and ($_.ForwardTo -ne $null) -and ($_.ForwardAsAttachmentTo -ne $null)}
if ($MailboxWithRule -ne $Null) {
Write-Host "Mailbox $($Mailbox.PrimarySmtpAddress) has these rulez:" $MailboxWithRule |
fl Name, Identity, RedirectTo, ForwardTo, ForwardAsAttachmentTo
}
$count++
}