Forwarding Rules
Monitor and manage email forwarding configurations across your organization. Email forwarding can be configured at the mailbox level, through Inbox rules, or via transport rules. Unauthorized forwarding is a common data exfiltration technique.
Warning: External email forwarding is a significant security risk. Attackers frequently configure forwarding to exfiltrate data from compromised accounts. Monitor and restrict forwarding as part of your security posture.
Forwarding Overview
| Forwarding Type | Configured By | Visibility |
|---|---|---|
| Mailbox Forwarding | Admin (SMTP forwarding) | Exchange admin center |
| Inbox Rules | User or attacker | Mailbox rule audit |
| Transport Rules | Admin (server-side) | Transport rule list |
| Power Automate | User | Flow management |
Mailbox-Level Forwarding
SMTP Forwarding
Configured in mailbox properties by administrators:
- ForwardingAddress — Forward to internal recipient
- ForwardingSmtpAddress — Forward to external address
- DeliverToMailboxAndForward — Keep copy in mailbox and forward
Forwarding Audit
Review all mailboxes with forwarding configured:
- Identify mailboxes forwarding to external addresses
- Flag recently configured forwarding on sensitive accounts
- Detect forwarding set during suspicious sign-in sessions
Inbox Rule Forwarding
Users can create Inbox rules that forward or redirect messages:
- Forward — Send copy to another address (original stays in mailbox)
- Redirect — Route message to another address (original not delivered)
Security Monitoring
Watch for suspicious Inbox rule forwarding:
- Rules forwarding all messages to external domains
- Rules created by non-interactive sign-ins
- Rules targeting specific keywords (invoice, payment, wire)
Controlling External Forwarding
Outbound Spam Policy
Configure the outbound spam filter policy to control automatic forwarding:
- Automatic - System controlled — Microsoft manages forwarding based on risk
- On — Allow all external forwarding (not recommended)
- Off — Block all automatic forwarding to external recipients
Transport Rules
Create transport rules to block or audit forwarding:
- Block auto-forwarded messages to external recipients
- Require approval for forwarding to specific domains
- Notify administrators when forwarding is detected
Best Practices
- Block external forwarding by default — Use outbound spam policy to disable auto-forwarding.
- Audit forwarding regularly — Review all mailbox forwarding configurations weekly.
- Alert on new forwarding — Set up alerts for new forwarding rules on executive accounts.
- Educate users — Train users about the risks of forwarding to personal email accounts.
API Reference
GET /api/exchange/forwarding-rules
List all forwarding configurations
GET /api/exchange/forwarding-rules/external
List external forwarding only
DELETE /api/exchange/forwarding-rules/:mailboxId
Remove forwarding from mailbox
GET /api/exchange/forwarding-rules/audit
Get forwarding change audit log