Email Security

How to Check/Disable External Email Forwarding Rules

What is an email forwarding rule and why should we care?

An email forwarding rule is a set of instructions that can be applied to incoming or outgoing emails. People commonly use these rules for ease of access or convenience. For example, a person may forward their work emails to a private email account for sync across multiple mailboxes.

Email forwarding rules are unique because they are a built-in functionality to make our lives easier, but it is important to remember that cyber criminals can exploit email forwarding rules to obfuscate detection, perform recon, exfiltrate data, and persist.

If you want more information, tips for detection, or mitigations, please refer to the MITRE code (T1114.003 – Email Forwarding Rule). If your company has not disabled the use of external forwarding rules entirely, there are easy ways to check for malicious or unauthorized forwarding rules. Also, if your company wants to disable external forwarding rules and has not done so, keep reading for guides on how to accomplish these tasks using a combination of Outlook and the Microsoft 365 Exchange Admin center.

According to the FBI’s 2021 Internet crime report, “In 2021, the IC3 received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.” With BEC losses in the billions of dollars and the IOCs revolving around email account compromise, a simple check for forwarding rules could aid your team in the discovery and elimination of active BEC campaigns targeting your company. These methods of checking email forwarding take only minutes; however, these few minutes can provide your team with peace of mind. If you discover an external forwarding rule that you did not enable, your email account may be at risk. Please contact your IT department to verify if the rule is malicious.

How to Check Forwarding Rules in Outlook

If you have observed suspicious or unusual activity in your mailbox or recently clicked a suspicious link, you can check your mailbox for external forwarding rules using the following guide. This guide will use the Microsoft Outlook environment, so while the Graphical user interfaces may be different, the process should be similar for different email accounts. I will review two fast methods to check if you have email forwarding rules in place. The first method utilizes Outlook’s setting search bar, and the second method traverses Outlook settings options manually.

Method 1 – Outlook Search Bar:

1. Log into the Outlook Mailbox at:

2. Search for the “settings” cog in the upper-right portion of the screen if you are using Microsoft Outlook.

3. Enter the word “forwarding” into the “Seach Outlook settings” box.

4. Check to see if there is a check in the box titled “Enable forwarding.” If there is no check present, email forwarding has not been set up or is not active on the email account.

Method 2 – View All Outlook Settings:

1. Log into the Outlook Mailbox at:

2. click on “View all Outlook settings.”

3. Locate the Outlook “Mail” subsection “Forwarding.”

4. Check to see if there is a check in the box titled “Enable forwarding.” If there is no check present, email forwarding has not been set up or is not active on the email account.

How to disable external forwarding in the Microsoft 365 Admin Center

There are multiple ways to prevent unauthorized external forwarding rules, but this guide covers how to accomplish that through the Microsoft Exchange Center.

1. Log into with an Admin enabled account.

2. Search for the “Admin” cog in the lower-left portion of the screen.

3. Locate the menu option “Show all” and expand its option.

4. Navigate to the “Admin Center” heading and click on the “Exchange” subheading.

5. Select the Exchange admin center menu option “New Exchange admin center.”

6. Select the “Mail flow” menu option from the “Recipients” header.

7. Select the “Remote domains” menu option from the “Mail flow” header.

8. Select the Remote domain that you would like to edit. Click “Edit reply types” under the Email reply types header.

9. Ensure that the “Allow automatic forwarding” box is unchecked in the “Automatic replies” header. Ensure to click “Save” at the bottom of the page to keep any changes that have been made.

We highly recommend continuous monitoring for this activity within your environment to help detect and stop potential Business Email Compromise incidents. We are already monitoring and alerting on suspicious external forwarding rules for our 24/7 SOC managed clients. If you are interested in our managed services, please reach out to us.

Email Security

How to configure warning messages for Microsoft 365 emails from external senders

As a security precaution, it’s a good idea to remind your staff not to open attachments from unknown senders. One easy way to implement this in Microsoft 365 is by setting up a mail flow rule in the Exchange admin center. If you have ever set up a Disclaimer mail flow rule, the setup is almost identical. In this tutorial, we’ll cover how to setup your own warning message for all external email sent to users inside your organization.

Steps to Configure Attachment Security in Microsoft 365

1. Log in to your Microsoft 365 Admin account at:

2. On the lefthand side of the homepage, select the “Admin” app from your list of Apps:

3. On the resulting page, select “Exchange” under “Admin centers” located on the left-side menu

4. Again on the left menu, expand the dropdown menu for “Mail flow” and select “Rules”

5. On the resulting page, next hit the plus symbol under “Rules” and select “create a new rule…”


6. Fill out the “New Rule” popup window in the detailed steps 7-14:

7. Make the name, “Warning: Received from Scope Outside the Organization” or whatever best suits you or your organization’s naming convention

8. For *Apply this rule if…  Select “The sender is located…”, from the drop-down menu then choose “Outside the organization” from the resulting “select sender location” window:

9. For *Do the following… , select “Apply a disclaimer to the message…” , “append the disclaimer”.

10. Select “*Enter text…” and enter the below HTML into the “specify disclaimer text” pop-out window

[CAUTION:  This email originated from outside of the organization.  Do not click links or open attachments unless you recognize the sender and know the content is safe]

The warning will look like the following if entered correctly:

11. After entering the Text, you’ll need to specify the fallback action. (by clicking “*Select one…”). Choose Wrap, then “OK”.

12. For the “Priority level of this rule” set according to any other rules you have configured. If this is the only rule, you can set “Audit this rule with severity level to “High”.

13. For “Choose a mode for this rule” leave at the selected default “Enforce” in place.

14. Click Save.

That’s it! You should start seeing the warning on external emails within a few minutes.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. Keep up with the latest cybersecurity news here. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.