Posted in : Office 365 By Jonas Back Translate with Google ⟶
3 years ago
Every time we come over a compromised Microsoft 365 account, one of the first actions the perpetrator took was to create e-mail forwarding rules to an external e-mail address. This enables them to infiltrate your business but still hides there presence and can go unnoticed for quite some time if you don’t monitor the correct reports.
Because of this, Microsoft 365 will start blocking external e-mail forwarding by default. A good move! However, this has caused significant incidents for our customers for those who didn’t monitor their Message Center properly resulting in the following error in the mailboxes performing e-mail forwards:
Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)'
So let’s say you realize you need to figure out who are actually performing e-mail forwarding in your tenant? Well, there are several ways:
1. Report
Check the report available in protection.office.com > Mail flow > Dashboard
You can also click View details table to get specific details of all forwards:
In technical terms, where can forwards be created?
2. Powershell
This can be set by the admin or the user when they enable forwarding. The user can set this in Outlook on the web > Settings (the cogwheel) > View all Outlook settings > Mail > Forwarding and select [v] Enable forwarding.
Connect-ExchangeOnline $mailboxes = Get-Mailbox -ResultSize Unlimited $mailboxes | Select Identity, PrimarySmtpAddress, ForwardingAddress, DeliverToMailboxAndForward
3. Exchange admin center
This can be set by the admin in the new and old Exchange admin centers:
- New > Manage mail flow settings > E-mail forwarding
- Old > recipients > mailboxes > mailbox features > Deliver Options
4. Mail flow rules
This can be set by the admin.
5. Inbox rules within the mailbox
These will be set as rules inside the specific mailbox using Outlook Desktop or Outlook on the web. These can be found using:
Connect-ExchangeOnline
$mailboxes = Get-Mailbox -ResultSize Unlimited
$InboxRules = @()
foreach ($mailbox in $mailboxes)
{
$InboxRule = Get-InboxRule -mailbox $mailbox.identity -ErrorAction SilentlyContinue
$InboxRules += $inboxRule
}
$InboxRules | Select Enabled, MailboxOwnerId, Name, Description, From, ForwardTo | Out-GridView
You will need to enable some filtering using the PowerShell script or Excel filter.
6. Using Out-of-Office > Rules
Not a very common way and not possible to find using PowerShell. Please vote on the Uservoice to surface these settings.
Reference
- Roadmap item 63831
- Message Center items: MC223421, MC221113, MC221119
Tags : Exchange, Microsoft 365
Personlig rådgivning
Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.
Add comment