Dump Your Users’ Email Forwarding Recipients from Office 365

Office 365 organizations may unknowingly be forwarding email to external recipients. This leaves them open to a wide variety of threats and security vulnerabilities. In this blog post, we’ll take a look at one specific threat category – Forwarding Rules Audit.

Users may be using email forwarding rules to send data outside of your organization. Forwarded information can contain sensitive information, including attachments, that should not leave your control.

Let’s take a look at how you can audit the use of the forwarding rules. You will need to be familiar with Powershell and have the appropriate permissions on your Office 365 tenant to execute the following code snippets.

First, you will need to have the ExchangeOnlineManagement library available in powershell. You can install it by issuing the following command from a Powershell shell:

Next, you need to authenticate to your O365 Tenant, replacing “yourname@company.com” with your user principal name:

The following command will produce a CSV file called forwarders.csv in your current working directory. It will contain the following information:

  • DisplayName
  • UserPrincipalName (email address)
  • Address which is receiving the forwarded email
  • If the mail is delivered to the mailbox then forwarded (True / False)

NOTE: The number of users in your O365 tenant will determine how long it takes to produce this report. If you remove the “-ResultsSize Unlimited” parameter in the code below, only the first 1000 results will be generated.

Time for the Audit

You can then open the forwarders.csv file for analysis using your favorite spreadsheet software. I use Microsoft Excel. Things that may be interesting to you include:

  • Users forwarding mail to an address outside of your organization
    • This can be the start of a data breach, especially if sensitive or regulated information was sent externally without encryption.
  • Users forwarding email to others in the organization
    • An innocent reason for this could be someone has left the organization or they are on vacation and someone is monitoring their mail for them.
  • A collection of users (or all of your users) forwarding mail to the same email address outside of the organization
    • NOTE: This is usually indicative of an attack.
  • Email that is forwarded without it being retained in the inbox.

Tips

I used MS Excel to slice and dice the CSV file. You can highlight the column that contains the email addresses of the recipient and apply a conditional formatting rule as displayed below:

In the text field enter your organization’s domain preceded with the “@” sign. In the above example I used “@company.com”

Conclusion

In conclusion, email forwarding rules can cause a security incident. It is important to keep tabs on what email is being sent automatically outside of your organizations. Policies, perhaps your Acceptable Use Policy, and technical controls (data loss prevention, configuration changes to your email service, etc) can help mitigate the risk.

Print Friendly, PDF & Email