Thursday, July 6, 2017

Restricting Auto-Forwarding

Office 365 Messaging – Automatic Forwarding of Emails

Outline scenarios involving auto-forwarding email messages and providing controls to maintain security compliance. Securing message traffic through the use of transport and other rules that can circumvent the ability to audit and track messaging.

Users have the ability to enable “Automatic Forwarding” of all messages. There are two general methods that allow forwarding:
Ø  OWA - Enable Automatic Forwarding of all Emails (with the option to enable keeping a copy in the users’ mailbox).
Ø  Creating and enabling a rule that would forward all messages to another messaging application (i.e. Yahoo!, Gmail, etc.) after the message arrived within the users’ mailbox.
Managing destination domains with transport rules, preventing the forwarding of *any* messages to these domains, or the blocking of *ALL* auto-forwarded messages with exceptions based on group membership.

(1) Outlook Web Access (OWA) Auto-Forward
OWA has a feature that enables the forwarding of all messages that are destined for delivery to a users’ mailbox without delivering it to the mail store where that user’s mailbox lives thereby bypassing legal auditing and compliance.  The user does have the option to enable the feature which creates a copy of the forwarded message (a check box).
This risk can be mitigated by creating and applying a policy that removes this feature, and then a script created to programmatically remove any existing destination addresses currently configured for each user.
User John Doe has a mailbox and has configured OWA to automatically forward all of his mail to Gmail.  The user has a device already configured to organize and sort mail using Gmail and does not have one configured for accessing messaging through O365 (OWA/Outlook/EWS/ActiveSync).  The user may have a legitimate business use for forwarding messages outside of the company to other addresses (Partner Resources, Purchasing, etc.); however, because this user does not have the checkbox selected to keep a copy in their O365 mailbox, there is no way for our tools to audit and track messaging information for this users’ mailbox (except for the configured destination address that all messages are being forwarded to).
To prevent this user from using the ‘Auto Forward Email’ feature of OWA, we have a policy that removes that as an option for OWA mailboxes.

(2) Creating and Using Rules to Auto-Forward
Outlook desktop client and OWA have the ability to create and enable “rules” which take effect after a message arrives WITHIN the users’ mailbox. A user can create a rule that automatically forwards all messages to another location, but because of how rules work, the message gets delivered to the information store and then gets forwarded to the destination set in the rule.  This allows for auditing and compliance tools to be used.
Jane Smith has a rule in her Outlook client that automatically forwards a copy of every message she gets to an external email address. Because of how rules work, all messaging information is retained within the mailbox that can be audited and tracked for compliance.
Rules cannot be easily managed by policy or programmatically making any controls to manage rules in Outlook difficult/costly.

(3) Using Transport Rules
We can create transport rules that will explicitly prevent the delivery of ANY messages to a destination domain (i.e.,,, etc.) or based on the type of message (in this case, Auto-Forwarded messages), block delivery.  A transport rule is applied during transit and can include response messages notifying users of the policy that is blocking auto-forwarding.
Create a transport rule that blocks all auto-forwarded messages (configured through OWA, where the message does not get delivered to the mailbox by default when Auto-Forwarding is enabled).
Create New Rule with conditions:
-          The sender is located “Inside the organization”
-          The recipient is located “Outside the organization”
-          The message type is “Auto-Forward”
-          Action <define_action>
-          Exception:  The sender is a member of this group <define_exception_group>
Using this method, it would be advised to still run the scripts to remove the ability to configure “Auto-Forwarding” through OWA and clear the attributes users already have configured.  This would be a secondary layer to ensuring auto-forwarded messages are managed.


We can move forward by implementing scenarios 1 and 3.  Client side rules (#2) would be difficult and costly to implement.


Disable Autoforward for Users

Testaag sample:
1.       Create a new Management Role which will restrict the following Set-Mailbox abilities for end users.
a.       DeliverToMailboxAndForward
b.       ForwardingAddress
c.       ForwardingSmtpAddress
2.       With these de-scoped from a user’s Access Control Entry, they will no longer be available in OWA.
3.       Make the new custom Management Role the default in the Default Role Assignment Policy.
PS > New-ManagementRole -Name "MyBaseOptions-noforward_TAAG" -Parent MyBaseOptions

Name                                                        RoleType
----                                                        --------
MyBaseOptions-noforward_TAAG                                MyBaseOptions

PS > Set-ManagementRoleEntry mybaseoptions-noforward_taag\Set-Mailbox -RemoveParameter -Parameters DelivertoMailboxandForward,ForwardingAddress,ForwardingSmtpAddress

End result:
PS > Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | FT Name,Role -AutoSize

Name                                                         Role
----                                                         ----
MyRetentionPolicies-Default Role Assignment Policy           MyRetentionPolicies
MyProfileInformation-Default Role Assignment Policy          MyProfileInformation
MyTextMessaging-Default Role Assignment Policy               MyTextMessaging
MyMailSubscriptions-Default Role Assignment Policy           MyMailSubscriptions
MyVoiceMail-Default Role Assignment Policy                   MyVoiceMail
MyContactInformation-Default Role Assignment Policy          MyContactInformation
MyTeamMailboxes-Default Role Assignment Policy               MyTeamMailboxes
My Marketplace Apps-Default Role Assignment Policy           My Marketplace Apps
MyDistributionGroups-Default Role Assignment Policy          MyDistributionGroups
MyDistributionGroupMembership-Default Role Assignment Policy MyDistributionGroupMembership
My ReadWriteMailbox Apps-Default Role Assignment Policy      My ReadWriteMailbox Apps
My Custom Apps-Default Role Assignment Policy                My Custom Apps
MyBaseOptions-noforward_TAAG-Default Role Assignment Policy  MyBaseOptions-noforward_TAAG

Note that the default MyBaseOptions role ACE is missing from the list entirely, and the substitute “no forward” policy is in its place.

Enable auditing of autoforward in Exchange Transport for compliance

Exception scenarios:

Define exception group for reporting of autoforward instances.  

Keep Default Role Assignment Policy flat for everyone.  Exception users can submit Service Requests to the Exchange team