rules/findings/m365/exchange_online/mail_flow/ms-exo-mail-forwarding-blocked-and-disabled.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Exchange Online", "serviceName": "Microsoft 365", "displayName": "Ensure all forms of mail forwarding are blocked and/or disabled", "description": "\r\n\t\tExchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels: \r\n\t\t* Outlook forwarding using inbox rules. \r\n\t\t* Outlook forwarding configured using OOF rule. \r\n\t\t* OWA forwarding setting (ForwardingSmtpAddress). \r\n\t\t* Forwarding set by the admin using EAC (ForwardingAddress). \r\n\t\t* Forwarding using Power Automate / Flow. \r\n\r\n\t\tEnsure a Transport rule and Anti-spam outbound policy are used to block mail forwarding. \r\n\t\t**NOTE** : Any exclusions should be implemented based on organizational policy.\r\n ", "rationale": "Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as a secondary channel to exfiltrate sensitive data.", "impact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", "remediation": { "text": null, "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019", "https://techcommunity.microsoft.com/blog/exchange/all-you-need-to-know-about-automatic-email-forwarding-in-exchange-online/2074888", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.0.1", "reference": "6.2.1", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "", "subPath": null, "selectCondition": { }, "query": [ ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure all forms of mail forwarding are blocked and/or disabled", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "m365_exo_mail_forwarding_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "microsoft365_2127" } |