Microsoft is planning to put a stop to enterprise data theft via email forwarding by disabling Office 365’s email forwarding to external recipients by default.
The company also wants to add improved external email forwarding controls which will allow Office 365 admins to enable the feature only to select employees in their organizations.
“External forwarding of email is a tactic used by attackers to exfiltrate data out of an organization and controlling that process is difficult,” Microsoft explains on the new feature’s Microsoft 365 roadmap entry.
“With this new feature, we are adding support for more granular controls that allow the Office 365 administrators to easily enable external forwarding for the right people in the organization through the outbound spam policy.”
The new feature is planned to be generally available and start to roll out to all environments with an Office 365 Advanced Threat Protection (ATP) plans starting with the fourth quarter of 2020.
How to stop auto-forwarding for emails
Until external email forwarding will be disabled by default, Microsoft provides step by step instructions on how to stop it manually to prevent hackers from stealing proprietary information by exfiltrating it to outside email addresses under their control.
To do this, you will have to create a custom mail flow rule by following these steps:• Go to the Exchange admin center, select Exchange, mail flow, and on the rules tab, select the plus sign and choose to create a new rule.
• Select More options. Name your new rule.
• Then open the drop-down to apply this rule if, select the sender and then is external internal.
• Select Inside the organization, and then OK.
• Choose to add condition, open the drop-down, select The message properties, then include the message type.
• Open the select message type drop-down, choose Auto-forward, then OK.
• Open the Do the following drop-down, select Block the message, then reject the message and include an explanation.
• Enter the message text for your explanation, then select OK.
• Scroll to the bottom and select Save.
Once the rule has been created, attackers will no longer be able to enable auto-forwarding for that user’s mailbox.
A video tutorial for this entire procedure is also embedded below.
Increase your org’s security
Redmond also has a list of ten measures you can take to boost your organization’s data security for both Microsoft 365 Business Standard and Microsoft 365 Business Premium service plans.
The list of tasks you need to go through to increase the security of your organization:1. Set up multi-factor authentication (MFA) to prevent hackers from taking over accounts if they know the password.
2. Train your users to use strong passwords, protect their devices, and enable security features on Windows 10 and Mac PCs.
3. Use dedicated admin accounts.
4. Raise the level of protection against malware in mail (guidance on how to do that is available in this training video).
5. Protect against ransomware by blocking file extensions commonly used for ransomware using mail flow rules.
6. Stop auto-forwarding for email.
7. Use Office Message Encryption.
8. Protect your email from phishing attacks using an ATP anti-phishing policy.
9. Protect against malicious attachments and files with ATP safe attachment policies.
10. Protect against phishing attacks with ATP Safe Links.
Part of a broader push to secure Office 365
This new Office 365 ATP feature is part of a larger effort to make the cloud-based email filtering service secure by default as Microsoft also wants to include a new feature that will block email sender domains automatically if they fail DMARC authentication.
Redmond is also working on including automated malicious content blocking in Office 365 regardless of admin or user custom configurations unless manually overridden.
Once this new feature will be enabled, Office 365 will honor EOP/ATP malware analysis (detonation) verdicts to automatically block known malicious files and URLs.
In October 2019, Microsoft also enabled Authenticated Received Chain (ARC) for all hosted mailboxes to improve anti-spoofing detection. The ARC protocol supplements the DKIM and DMARC email authentication protocols as part of Internet Mail Handlers’ effort to combat email spoofing especially when dealing with forwarded messages.