This is part of an ongoing series of Office 365 Best Practices which should in place for every organization – big or small, business or charity.
E-mail hackers are very sneaky, and the good ones have no problem with biding their time. When an account is cracked by a malicious actor, it’s common for them to basically do nothing – except set up a small auto-forwarding rule that sends copies of all recevied mail to another account.
They do this to avoid attention – every interactive login to the cracked account poses the risk that the hacker might draw attention and lose access to the account when someone changes the password, or disables it. With the forwarding rule, all they need to do is get in once, create the rule, then sit back and let the mail flow in without ever touching the cracked account again. They”ll bide their time and wait for something sensitive – like a customer invoice – then take their chance and strike, looking for a quick buck.
The solution to this is simple: We should block auto-forward rules to e-mail accounts outside the company. Yes, this will have the secondary impact of not letting legitimate users do this either. Two things: 1) Users shouldn’t typically do that anyway, as it’s a good way to leak sensitive info, and 2) if it’s really necessary for good business reasons, we can set up an exclusion to allow it. Auto-forwarding should be the exception, not the rule.
To set up an auto-forwarding block, follow this process:
1. Log into Portal.Office.com and access the Exchange Admin center.
2. Select Mail Flow, then Rules, then select Create a New Rule.
3. Select More Options, then name the rule. I suggest “Block External Auto-Forward”.
4. Pull the drop-down for Apply This Rule If, then select The Sender and select Is External Internal – then select “Inside the Organization” in the small window that pops up.
5. Select Add Condition, pull the drop-down and select The Message Properties, then select Include the Message Type.
6. Pull the Select Message Type drop-down, select Auto-Forward, then select OK.
7. Pull the Do the Following drop-down, select Block the Message, then select Reject the Message and Include an Explanation.
8. Let’s create an explanation for the user when they try to do this. I suggest something like “Auto-forwarding outside the organization has been blocked per company policy. Please contact IT support with any questions or concerns regarding this policy.” Then select OK.
9. Select the Save buton. Ta-daa! Your rule is in place and auto-forwarding is now blocked.
This is one of those rules that’s very small with an impact that almost no users will notice, but which produces a huge level of security against e-mail hackers. Don’t delay! Get this rule in place.