Now that you have disabled O365 External Forwarding for your organization, it’s time to find out who is using it….
List Users Who Are O365 External Forwarding
You may want to give your users a heads up that you will be disabling this feature. You can easily do this by connecting to the Exchange-Online PowerShell Module and using the Get-InboxRule commandlet. This example shows you how to get this list from a bunch of users:
#Connect to Exchange
Connect-ExchangeOnline
#Delcare Variables
$CSVPathUPN = “Path_To_UserList_CSV”
$StatusPath = “Path_To_User_Rules_Output_CSV”
#Run Script
#Try import UPN CSV file
try {
$UPNUsers = import-csv $CSVPathUPN -ErrorAction stop
}
catch {
throw “Error importing CSV: $($_.Exception.Message)”
break
}
#Go Through Each User
foreach ($UPNUser in $UPNUsers) {
#Go through each Rule and see if forwarding is set up
$x = 0
$user = $UPNUser.UPNUser
$items = @(Get-InboxRule -Mailbox $user)
$count = $items.count
while($x -lt $count) {
$rule = $items[$x].RuleIdentity
$ruleWithQuotes = "{0}" -f $rule
$rulename = $items[$x].Name
$rulenamelength = $rulename.length
#"`r",$rulename
#$("-" * $rulenamelength)
$ForwardToObj = Get-InboxRule -Mailbox $user -Identity $ruleWithQuotes | Select ForwardTo
$Contain = $ForwardToObj.ForwardTo
if ($Contain -like '*SMTP*') {
$Contain
} else {
$Contain = "Not an External Forward or a Forward"
}
$ForwardAttachObj = Get-InboxRule -Mailbox $user -Identity $ruleWithQuotes | Select ForwardAsAttachment
$Contain1 = $ForwardAttachObj.ForwardAsAttachment
if ($Contain1 -like '*SMTP*') {
$Contain1
} else {
$Contain1 = "Not an External Forward or a Forward"
}
$Rules = $user + "," + $rulename + "," + $Contain + "," + $Contain1
Write-Host $Rules
Write-Output $Rules | Out-File $StatusPath -Append
$x++
}
}
Write-Host All Rules Exported….
Disable External Forwarding for the Organization
When you are done writing and deploying the script, you need to make sure the default Anti-Spam Outbound Rule is enabled. As a Global Admin, go to admin.microsoft.com. Then go to Security / Policies and Rules / Threat Policies / Anti-Spam Policies:
When you click on Anti-Spam Outbound Policy (Default), you will see a fly-out menu to your right. Click on “Edit Protection Settings” and make sure the Forwarding rules are set to off:
Save your settings and it is now turned off. Notify your list if users from step one and you are done. going forward, If you prefer sending an NDR to the user when they either setup a rule or try to use it you can set up a Transport Rule in Exchange admin instead.
Go to admin.exchange.com and navigate to Mail Flow / Rules. Set up a rule to block Auto-Forward to recipients outside the organization with an explanation:
This article explains it very well.
Your Users may not like it but it protects the organization from comprised email through phishing attacks and rogue employees.
Happy IT’ing
Dan