Office 365 Messaging – Automatic Forwarding
of Emails
Purpose
Outline scenarios involving
auto-forwarding email messages and providing controls to maintain security
compliance. Securing message traffic through the use of transport and other
rules that can circumvent the ability to audit and track messaging.
Scenarios
Users have the ability to enable
“Automatic Forwarding” of all messages. There are two general methods that
allow forwarding:
Ø
OWA - Enable Automatic Forwarding of all Emails
(with the option to enable keeping a copy in the users’ mailbox).
Ø
Creating and enabling a rule that would forward
all messages to another messaging application (i.e. Yahoo!, Gmail, etc.) after
the message arrived within the users’ mailbox.
Managing destination domains with transport
rules, preventing the forwarding of *any* messages to these domains, or the
blocking of *ALL* auto-forwarded messages with exceptions based on group
membership.
(1) Outlook Web Access (OWA) Auto-Forward
OWA has a feature that enables the
forwarding of all messages that are destined for delivery to a users’ mailbox
without delivering it to the mail store where that user’s mailbox lives thereby
bypassing legal auditing and compliance.
The user does have the option to enable the feature which creates a copy
of the forwarded message (a check box).
This risk can be mitigated by
creating and applying a policy that removes this feature, and then a script
created to programmatically remove any existing destination addresses currently
configured for each user.
EXAMPLE:
User John Doe has a mailbox and has
configured OWA to automatically forward all of his mail to Gmail. The user has a device already configured to
organize and sort mail using Gmail and does not have one configured for
accessing messaging through O365 (OWA/Outlook/EWS/ActiveSync). The user may have a legitimate business use
for forwarding messages outside of the company to other addresses (Partner
Resources, Purchasing, etc.); however, because this user does not have the
checkbox selected to keep a copy in their O365 mailbox, there is no way for our
tools to audit and track messaging information for this users’ mailbox (except
for the configured destination address that all messages are being forwarded
to).
To prevent this user from using the
‘Auto Forward Email’ feature of OWA, we have a policy that removes that as an
option for OWA mailboxes.
(2) Creating and Using Rules to Auto-Forward
Outlook desktop client and OWA have
the ability to create and enable “rules” which take effect after a message
arrives WITHIN the users’ mailbox. A user can create a rule that automatically
forwards all messages to another location, but because of how rules work, the
message gets delivered to the information store and then gets forwarded to the
destination set in the rule. This allows
for auditing and compliance tools to be used.
EXAMPLE:
Jane Smith has a rule in her
Outlook client that automatically forwards a copy of every message she gets to
an external email address. Because of how rules work, all messaging information
is retained within the mailbox that can be audited and tracked for compliance.
Rules cannot be easily managed by
policy or programmatically making any controls to manage rules in Outlook
difficult/costly.
(3) Using Transport Rules
We can create transport rules that
will explicitly prevent the delivery of ANY messages to a destination domain
(i.e. Yahoo.com, google.com, aol.com, etc.) or based on the type of message (in
this case, Auto-Forwarded messages), block delivery. A transport rule is applied during transit
and can include response messages notifying users of the policy that is
blocking auto-forwarding.
EXAMPLE:
Create a transport rule that blocks
all auto-forwarded messages (configured through OWA, where the message does not
get delivered to the mailbox by default when Auto-Forwarding is enabled).
Create New Rule with conditions:
-
The sender is located “Inside the organization”
-
The recipient is located “Outside the
organization”
-
The message type is “Auto-Forward”
-
Action <define_action>
-
Exception:
The sender is a member of this group <define_exception_group>
Using this method, it would be
advised to still run the scripts to remove the ability to configure
“Auto-Forwarding” through OWA and clear the attributes users already have
configured. This would be a secondary
layer to ensuring auto-forwarded messages are managed.
Recommendation:
We can move forward by implementing scenarios 1 and 3. Client side rules (#2) would be difficult and
costly to implement.
Implementation:
Testaag sample:
1.
Create a new Management Role which will
restrict the following Set-Mailbox abilities for end users.
a.
DeliverToMailboxAndForward
b.
ForwardingAddress
c.
ForwardingSmtpAddress
2.
With these de-scoped from a user’s Access
Control Entry, they will no longer be available in OWA.
3.
Make the new custom Management Role the default
in the Default Role Assignment Policy.
PS >
New-ManagementRole -Name "MyBaseOptions-noforward_TAAG" -Parent
MyBaseOptions
Name
RoleType
----
--------
MyBaseOptions-noforward_TAAG MyBaseOptions
PS > Set-ManagementRoleEntry
mybaseoptions-noforward_taag\Set-Mailbox -RemoveParameter -Parameters
DelivertoMailboxandForward,ForwardingAddress,ForwardingSmtpAddress
End result:
PS > Get-ManagementRoleAssignment -RoleAssignee
"Default Role Assignment Policy" | FT Name,Role -AutoSize
Name
Role
----
----
MyRetentionPolicies-Default
Role Assignment Policy
MyRetentionPolicies
MyProfileInformation-Default
Role Assignment Policy
MyProfileInformation
MyTextMessaging-Default Role
Assignment Policy
MyTextMessaging
MyMailSubscriptions-Default
Role Assignment Policy
MyMailSubscriptions
MyVoiceMail-Default Role
Assignment Policy
MyVoiceMail
MyContactInformation-Default
Role Assignment Policy
MyContactInformation
MyTeamMailboxes-Default
Role Assignment Policy
MyTeamMailboxes
My Marketplace
Apps-Default Role Assignment Policy
My Marketplace Apps
MyDistributionGroups-Default
Role Assignment Policy MyDistributionGroups
MyDistributionGroupMembership-Default
Role Assignment Policy MyDistributionGroupMembership
My ReadWriteMailbox
Apps-Default Role Assignment Policy
My ReadWriteMailbox Apps
My Custom Apps-Default
Role Assignment Policy My
Custom Apps
MyBaseOptions-noforward_TAAG-Default
Role Assignment Policy MyBaseOptions-noforward_TAAG
Note that the default MyBaseOptions role ACE is missing from
the list entirely, and the substitute “no forward” policy is in its place.
Exception scenarios:
Define exception group for reporting of autoforward
instances.
Keep Default Role Assignment Policy flat for everyone. Exception users can submit Service Requests
to the Exchange team