Automatic email forwarding is very risky. First, it can lead to exfiltration of sensitive internal information outside the corporate environment. But it can also cause account compromise, for example through password reset whose code arrives at some external address that may be under the control of an attacker.
![How to block automatic email forwarding in Office 365](https://www.cswrld.com/wp-content/uploads/2024/10/20241026-How-to-block-automatic-email-forwarding-in-Office-365-EN.jpg)
Why is email forwarding risky
Imagine, for example, a situation where an employee sets up mail forwarding to their private email. At first glance this may be a relatively innocent thing, companies often say “so what”. But the company email receives a lot of internal information about the company’s operations, such as various financial results, planning, customer communications, project information, etc. Not to mention some sensitive information that definitely shouldn’t get out to the public.
But when an employee sets up forwarding to a private email, the company loses all control over those emails. Suddenly, copies of all messages are somewhere in that employee’s private inbox, over which the company has no control. No one even knows how well that private email is protected – does it have a secure password, multi-factor authentication, wherever that email is logged, who all has access to it, etc. Or what happens when, for example, an employee leaves the company but all company emails remain in their private inbox.
For the above reasons, it should be clear that external forwarding should always be blocked.
How to block automatic external email forwarding in Office 365
External automatic forwarding of emails can be blocked in Office 365 in several ways.
The basic option is to block forwarding directly at the mail server level, Exchange Online, so that messages are not forwarded automatically outside the organization’s environment. Of course, manual forwarding is still possible.
Go to the Microsoft Defender XDR portal and open Email & collaboration – Policies & rules – Threat policies – Anti-spam. Click on Outbound anti-spam policy and then click on Edit protection settings. In the Automatic forwarding rules drop-down menu, select Off – Forwarding is disabled.
![Create new anti-spam policy](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-1.jpg?ssl=1)
![Create new outbound anti-spam policy](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-2.jpg?ssl=1)
![Edit protection settings](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-3.jpg?ssl=1)
![Disable forwarding](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-4.jpg?ssl=1)
This setting causes automatic email forwarding to be blocked at the Office 365 (Exchange Online) level. While the user can still set up automatic forwarding, the messages will be automatically blocked and a non-delivery report (NDR) will be returned to the sender stating that forwarding is blocked (“Your organization does not allow external forwarding.“).
How to disable user settings for automatic email forwarding in Office 365
The second way to prevent automatic email forwarding in Office 365 is to disable users from enabling auto-forwarding at all. In fact, it’s ideal to combine both options – disabling automatic email forwarding via the policy above, while also disallowing users from setting up forwarding at all themselves.
Disabling the ability to set email forwarding for end users is handled by changing their permissions using PowerShell. If you don’t already have Exchange Online PowerShell installed, you need to install it first.
Install-Module -Name ExchangeOnlineManagement
You can now connect to Exchange Online PowerShell
Connect-ExchangeOnline
Now we need to edit permissions by duplicating the default role and removing the permissions to set up automatic email forwarding. First we duplicate the existing role.
New-ManagementRole DisableForwarding -Parent MyBaseOptions
Next we remove permissions to set up automatic email forwarding from the new role
Set-ManagementRoleEntry DisableForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress
Now we will go to the Exchange Admin Center and open Roles – User roles – Default Role Assignment Policy.
![Default Role Assignment Policy](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-5.jpg?ssl=1)
Click on the Manage permissions link.
![Change permissions for users](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-6.jpg?ssl=1)
In the new window, untick the checkbox for MyBaseOptions and tick the checkbox for DisableForwarding.
![Change permissions for users](https://i0.wp.com/www.cswrld.com/wp-content/uploads/2024/10/how-to-block-email-forwarding-office365-7.jpg?ssl=1)
User now are unable to configure automatic email forwarding from OWA.
![](https://www.cswrld.com/wp-content/uploads/2024/11/bmc-button.png)