Outlook and Office365 offer the ability to automatically forward certain emails to another address. It becomes potentially dangerous when that forwarding is done to an external email address.
Protection against BEC and CEO Fraud
Attackers who employ Business Email Compromise (BEC) or CEO fraud are notorious abusers of automatic forwarding rules. They gain access to the mailbox of one employee and then forward all the email from that one employee to themselves. They then wait for a financially oriented email to come through, such as a payment instruction. From that, they deduce who gives the instruction to whom and with what language and email templates. They then use that information to send a misleading variant of that email with the aim of having money transferred to themselves.
Therefore, automatically forwarding emails outside the organization should be restricted and only allowed as an exception.
Auto-forwarding in Office365
Microsoft has built in the ability to block automatically forwarded emails in various places. Namely within Exchange and in the Outbound Spam Filter, which is part of the Security Center. It is a matter of choosing which of these places to use. At the chosen place, exceptions to the rule must also be configured. And for that exception to the rule to work, the other place should no longer interfere with the emails.
At Attic, we have chosen to use the Security Center for this function. There, auto forwarding is blocked as a default, and exceptions are defined there. Exchange Online leaves those exempted auto-forwards alone. The reasoning behind this is that the Security Center offers better oversight in terms of reporting and fine-tuning for these rules. And it is generally the place where many more security matters need to be configured and where Microsoft is further developing.
Checks & Fixes
Since auto-forwarding can be configured in different places at Microsoft, Attic checks these settings with various checks. The following checks apply:
-
CHK-1036 - Remote domains automatic forwarding allowed. This is the setting within Exchange Online where automatic forwarding can be blocked, but which we do not use. The check therefore verifies if blocking here is OFF.
- CHK-1049 - Outbound Spam Filter. The outbound spam filter is used to block automatic forwarding. Blocking is the default setting, and an exception rule is active ("[ZOLDER] auto forward policy"). That policy allows autoforwarding, and users can be added to it.
A Fix is available for these checks, and we will offer it through Attic depending on which checks have generated an alarm.
Exceptions
Users for whom autoforwarding should be allowed can be specified with their email address in the configuration option "autoforwardwhitelist" in Attic.
Comments
0 comments
Please sign in to leave a comment.