Categories
Email Security

How to Check/Disable External Email Forwarding Rules

What is an email forwarding rule and why should we care?

An email forwarding rule is a set of instructions that can be applied to incoming or outgoing emails. People commonly use these rules for ease of access or convenience. For example, a person may forward their work emails to a private email account for sync across multiple mailboxes.

Email forwarding rules are unique because they are a built-in functionality to make our lives easier, but it is important to remember that cyber criminals can exploit email forwarding rules to obfuscate detection, perform recon, exfiltrate data, and persist.

If you want more information, tips for detection, or mitigations, please refer to the MITRE code (T1114.003 – Email Forwarding Rule). If your company has not disabled the use of external forwarding rules entirely, there are easy ways to check for malicious or unauthorized forwarding rules. Also, if your company wants to disable external forwarding rules and has not done so, keep reading for guides on how to accomplish these tasks using a combination of Outlook and the Microsoft 365 Exchange Admin center.

According to the FBI’s 2021 Internet crime report, “In 2021, the IC3 received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.” With BEC losses in the billions of dollars and the IOCs revolving around email account compromise, a simple check for forwarding rules could aid your team in the discovery and elimination of active BEC campaigns targeting your company. These methods of checking email forwarding take only minutes; however, these few minutes can provide your team with peace of mind. If you discover an external forwarding rule that you did not enable, your email account may be at risk. Please contact your IT department to verify if the rule is malicious.

How to Check Forwarding Rules in Outlook

If you have observed suspicious or unusual activity in your mailbox or recently clicked a suspicious link, you can check your mailbox for external forwarding rules using the following guide. This guide will use the Microsoft Outlook environment, so while the Graphical user interfaces may be different, the process should be similar for different email accounts. I will review two fast methods to check if you have email forwarding rules in place. The first method utilizes Outlook’s setting search bar, and the second method traverses Outlook settings options manually.

Method 1 – Outlook Search Bar:

1. Log into the Outlook Mailbox at: https://outlook.office.com.

2. Search for the “settings” cog in the upper-right portion of the screen if you are using Microsoft Outlook.

3. Enter the word “forwarding” into the “Seach Outlook settings” box.

4. Check to see if there is a check in the box titled “Enable forwarding.” If there is no check present, email forwarding has not been set up or is not active on the email account.

Method 2 – View All Outlook Settings:

1. Log into the Outlook Mailbox at: https://outlook.office.com.

2. click on “View all Outlook settings.”

3. Locate the Outlook “Mail” subsection “Forwarding.”

4. Check to see if there is a check in the box titled “Enable forwarding.” If there is no check present, email forwarding has not been set up or is not active on the email account.

How to disable external forwarding in the Microsoft 365 Admin Center

There are multiple ways to prevent unauthorized external forwarding rules, but this guide covers how to accomplish that through the Microsoft Exchange Center.

1. Log into https://www.office.com/ with an Admin enabled account.

2. Search for the “Admin” cog in the lower-left portion of the screen.

3. Locate the menu option “Show all” and expand its option.

4. Navigate to the “Admin Center” heading and click on the “Exchange” subheading.

5. Select the Exchange admin center menu option “New Exchange admin center.”

6. Select the “Mail flow” menu option from the “Recipients” header.

7. Select the “Remote domains” menu option from the “Mail flow” header.

8. Select the Remote domain that you would like to edit. Click “Edit reply types” under the Email reply types header.

9. Ensure that the “Allow automatic forwarding” box is unchecked in the “Automatic replies” header. Ensure to click “Save” at the bottom of the page to keep any changes that have been made.

We highly recommend continuous monitoring for this activity within your environment to help detect and stop potential Business Email Compromise incidents. We are already monitoring and alerting on suspicious external forwarding rules for our 24/7 SOC managed clients. If you are interested in our managed services, please reach out to us.