Office 365 ATP: External email forwarding controls and policy change

Office 365 ATP: External email forwarding controls and policy change

Automated external email forwarding is a tactic attackers use to exfiltrate data out of an organization. To counter that, Microsoft is updating their anti-spam policies.

• First, they are providing a control to easily enable automatic external forwarding for select people in your organization.
• Second, they will change the “Automatic” setting to block automatic external forwarding. Internal automatic forwarding of messages will not be impacted by this change.

Key points

• Timing: rolling out at the end of July
• Roll-out: tenant level
• Control type: admin control  
• Action: review and assess by August 28, 2020

How this will affect your organization

In this initial release Microsoft will provide updated controls for administrators to configure their outbound antispam polices, via PowerShell and the Security and Compliance Center console, but will not be enforcing the actions so that administrators have an opportunity to configure the settings first. 

You will be able to determine who will be allowed to automatically forward email using inbox rules, or SMTP forwarding, outside of the organization.

There is no impact on external forwarding in this update, however automatic forwarding will be disabled based on the policy in a future update currently planned for September 1, 2020. Once the policy takes effect, messages that are being automatically forwarded outside the organization will be blocked and non-delivery report (NDR) will be sent to the user.

What you need to do to prepare

To prepare for the changes, it is recommend that all administrators do the following by August 28, 2020.

1. Use the Auto-forwarded messages report to identify which users in your tenant are automatically forwarding messages outside the organization. Focus on users with either SMTP forwarding or Inbox rules. Exchange transport rules (ETRs) are unaffected by this change.
2. Configure the outbound spam policies to allow automatic external forwarding for either your entire organization or specific users.

NOTE: No action is needed if you don’t want to allow any users to automatically forward messages externally or if no one in your tenant is currently doing so.

For more information, please see Configuring and controlling external email forwarding in Office 365.

Microsoft understands that some organizations already have users with automatic forwarding messages outside the organization and they will provide additional time and communications to enable transition to the new policy controls. For these organizations, they will communicate with more details on when the change will impact your specific tenant.