Posted in : Office 365 Av Jonas Back Översätt med Google ⟶

3 years ago

Every time we come over a compromised Microsoft 365 account, one of the first actions the perpetrator took was to create e-mail forwarding rules to an external e-mail address. This enables them to infiltrate your business but still hides there presence and can go unnoticed for quite some time if you don’t monitor the correct reports.

Because of this, Microsoft 365 will start blocking external e-mail forwarding by default. A good move! However, this has caused significant incidents for our customers for those who didn’t monitor their Message Center properly resulting in the following error in the mailboxes performing e-mail forwards:

Remote Server returned '550 5.7.520 Access denied,
Your organization does not allow external forwarding.
Please contact your administrator for further assistance. AS(7555)'


So let’s say you realize you need to figure out who are actually performing e-mail forwarding in your tenant? Well, there are several ways:

1. Report

Check the report available in > Mail flow > Dashboard

Make sure to edit Filters to set proper Start Date and End Date. You can click Show data for to change view and get piecharts:

You can also click View details table to get specific details of all forwards:

In technical terms, where can forwards be created?

2. Powershell

This can be set by the admin or the user when they enable forwarding. The user can set this in Outlook on the web > Settings (the cogwheel) > View all Outlook settings > Mail > Forwarding and select [v] Enable forwarding.

$mailboxes = Get-Mailbox -ResultSize Unlimited
$mailboxes | Select Identity, PrimarySmtpAddress, ForwardingAddress, DeliverToMailboxAndForward

3. Exchange admin center

This can be set by the admin in the new and old Exchange admin centers:

  • New > Manage mail flow settings > E-mail forwarding
  • Old > recipients > mailboxes > mailbox features > Deliver Options

4. Mail flow rules

This can be set by the admin.

5. Inbox rules within the mailbox

These will be set as rules inside the specific mailbox using Outlook Desktop or Outlook on the web. These can be found using:

$mailboxes = Get-Mailbox -ResultSize Unlimited
$InboxRules = @()
foreach ($mailbox in $mailboxes)
$InboxRule = Get-InboxRule -mailbox $mailbox.identity -ErrorAction SilentlyContinue
$InboxRules += $inboxRule
$InboxRules | Select Enabled, MailboxOwnerId, Name, Description, From, ForwardTo | Out-GridView

You will need to enable some filtering using the PowerShell script or Excel filter.

6. Using Out-of-Office > Rules

Not a very common way and not possible to find using PowerShell. Please vote on the Uservoice to surface these settings.


Tags : Exchange, Microsoft 365

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.