It should come as no surprise that the flood of phishing emails being sent out are doing more than just amassing credentials from unsuspecting people. Scammers are using these credentials to log into the now compromised accounts to gain confidential information (like credit card numbers or wire transfer account numbers). At this point the scammer now has access to the user’s emails, access to their contacts (often times users include website credentials in contact cards), and the ability to further propagate their scam with an email blast to the above-mentioned contacts. This has a likelihood to not only ruin the technology reputation of your email system and getting your domain blacklisted but can ruin the reputation of the user as well. Part of this attack, often overlooked, is that the scammer enables external mail forwarding from the user’s email options with leaving the original message intact. The end user and often O365 admins are never aware of this being enabled as it doesn’t affect the end-users experience.  For professional services companies without a dedicated IT department, this may be noticed much too late! The good news is, it’s pretty simple to mitigate unauthorized access to an Office 365 account and to close the email forwarding security gap. In this post, we’ll review how to check which of your mailboxes have forwarding enabled and to set up some protocols to help protect against an attack. Stay tuned to our next O365 post on how to enable Multi-Factor Authentication.

Find which mailboxes have forwarding enabled

After connecting to Office 365 through PowerShell, run the below PowerShell command and it will list out all the mailboxes that have forwarding enabled. Of course, some of the mailboxes may be forwarding by design; if this is your first time running the command it would be a good idea to document which mailboxes & destinations are intended. Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))}

Disable forwarding

There are PowerShell commands that can be run to clear out ALL forwarding settings, but I have found it best to go through the Exchange Admin web portal to verify their settings. Log into the Office 365 admin portal and go into the Exchange Admin center. From there, you can view the administrative enabled & end-user enabled forwarding settings. To view the administrative settings

  • Click on “Recipients” -> Mailboxes / Shared -> double click account in question -> select “Mailbox Features” -> under “Mail Flow Deliver Options” click on “View details” link

To view end-user settings

  • Click on name/picture in top right corner of page -> click “Another user…” -> Select user from list -> click “Connected accounts
Adding connected accounts

Adding connected accounts

Protect against this attack

To harden your tenant so only Administrators can enable forwarding

  • Click on “Mail Flow” -> “Remote Domains” -> double click “Default” -> under “Automatic Replies” uncheck “Allow Automatic Forwarding

In some scenarios you may need to leave end-user forwarding (Automatic Forwarding) enabled so it would be a good idea to enable administrative alerts for each time it is enabled.

  • From the O365 Admin center open “Security & Compliance” admin center -> Click “Alerts” from side blade -> click on “Alert Policies

If the “Creation of forwarding/redirect rule” policy isn’t enabled/displayed, then click “+ New Alert Policy” to create it

  • Provide a friendly name
  • Set Severity to “Medium” or “High
  • Set Category to “Threat Management
  • Click “Next” button

  • Set “Activity is” to “Created mail forward/redirect rule
  • Leave “Every time an activity matches the rule” enabled
  • Click “Next” button
Create a new alert

Create a new alert

  • Enter list of users in “Email recipients” (Generally recommended to send to distribution list for easier administration of notifications)
  • Click “Next
  • Review your settings and click “Finish

The above actions are the first steps in securing your Office 365 environment. In our next O365 post, we’ll walk through the steps to enable Multi-factor authentication. If you need help implementing these steps or have questions specific to your Office 365 environment, contact us today to schedule a free consultation.