Auto-forwarding looks harmless. A user sets a rule to push a copy of their mail to a personal Gmail so they can read it on the weekend, and nobody thinks twice. But uncontrolled external forwarding is one of the most common ways company data leaks out — and one of the first things an attacker sets up after they get into a mailbox. A hidden forwarding rule quietly copies every incoming message to an outside address, keeps working after the password is reset, and gives the attacker a steady feed of your mail.
Microsoft 365 gives you several ways to shut this down. The main one is the outbound spam filter policy, which can block automatic external forwarding across the whole tenant. You can back it up with mail flow rules for finer control and use anti-phishing and alerts to catch the account compromises that create malicious rules in the first place. This guide walks through all three, in the order you’d actually deploy them.
Why this matters more than it looks
Before the how, it’s worth being clear on the risk, because that’s what justifies the occasional broken convenience rule.
- Data exfiltration. A forwarding rule sends copies of sensitive mail — invoices, contracts, HR data — to an address you don’t control. No download, no obvious trace.
- Post-compromise persistence. After a phishing attack, the attacker sets a forwarding rule. Even after you reset the password and kick them out, they keep reading the victim’s mail.
- Compliance exposure. Mail leaving to personal accounts sidesteps your retention, logging, and data-handling controls entirely.
The three ways forwarding gets set up
To block forwarding effectively you have to know the ways it’s configured, because a control that catches one method can miss another.
How auto-forwarding is configured in Microsoft 365
| Inbox rule (user) | A rule in Outlook/OWA that forwards or redirects messages. Most common, and what attackers use. |
|---|---|
| Mailbox forwarding (admin or user) | The ForwardingSMTPAddress / ForwardingAddress setting on the mailbox itself. |
| Mail flow rule (admin) | A transport rule that redirects mail. Tenant-wide, set by admins. |
The good news: the outbound spam policy’s automatic-forwarding control covers the user-created methods (inbox rules and mailbox forwarding to external recipients) in one setting. That’s why it’s the right place to start.
Step 1: Block external forwarding in the outbound spam policy
This is the primary control and the one Microsoft recommends. It blocks mail being automatically forwarded to external recipients across the tenant.
- Sign in to the Microsoft Defender portal (
security.microsoft.com). - Go to Email & collaboration → Policies & rules → Threat policies → Anti-spam.
- Open Anti-spam outbound policy (Default) (or create a custom outbound policy).
- Edit Automatic forwarding rules and set it to Off – Forwarding is disabled.
- Save.
With this set to Off, automatic forwarding to external addresses is blocked, regardless of whether the user set it via an inbox rule or the mailbox forwarding setting. The setting has three states, and it’s worth knowing what each does:
Outbound spam policy: Automatic forwarding rules
| Automatic (default) | Microsoft decides — currently blocks external auto-forwarding for most tenants, but it's controlled by the system, not you. |
|---|---|
| On | Forwarding is allowed — external auto-forwarding works. |
| Off | Forwarding is disabled — external auto-forwarding is blocked. This is the explicit, enforced choice. |
Step 2: Allow exceptions with a scoped policy
A tenant-wide block will catch forwarding you actually want — a departed employee’s mail going to their manager, or a genuine shared workflow. Rather than weakening the default, create a separate outbound policy for the few accounts that need forwarding.
- In the same Anti-spam policies area, create a new outbound policy.
- Scope it to the specific users, groups, or domains that are allowed to forward.
- Set Automatic forwarding rules to On for that policy.
- Give it a higher priority than the default so it applies to those users.
This keeps the secure default in place for everyone while letting a controlled set of accounts forward. Review the exception list periodically — exceptions have a way of outliving their reason.
Step 3: Audit what’s already forwarding
Before and after enforcing the policy, find the mailboxes that already forward externally. This surfaces both legitimate setups you might break and any forwarding an attacker has planted.
Connect-ExchangeOnline
# Mailboxes with forwarding configured on the mailbox itself
Get-Mailbox -ResultSize Unlimited |
Where-Object { $_.ForwardingSMTPAddress -or $_.ForwardingAddress } |
Select-Object DisplayName, ForwardingSMTPAddress, ForwardingAddress, DeliverToMailboxAndForward
# Inbox rules that forward or redirect (scan each mailbox)
$mailboxes = Get-Mailbox -ResultSize Unlimited
foreach ($mbx in $mailboxes) {
Get-InboxRule -Mailbox $mbx.PrimarySmtpAddress |
Where-Object { $_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo } |
Select-Object @{N='Mailbox';E={$mbx.PrimarySmtpAddress}}, Name, ForwardTo, RedirectTo
}Run this across the tenant and review the results. Anything forwarding to an external domain you don’t recognize is worth investigating as a possible compromise — not just a productivity rule.
Step 4: Back it up with a mail flow rule
The outbound spam policy handles user-created external forwarding well, but a mail flow (transport) rule gives you an extra layer and catches cases the spam policy doesn’t, such as message-level redirection. It’s also useful when you want to block forwarding and notify the sender.
Create a rule in the Exchange admin center (Mail flow → Rules → Add a rule) that rejects auto-forwarded messages heading outside the org. The key condition is the message type “auto-forward” combined with an external recipient.
Connect-ExchangeOnline
New-TransportRule -Name "Block external auto-forwarding" `
-FromScope InOrganization `
-SentToScope NotInOrganization `
-MessageTypeMatches AutoForward `
-RejectMessageReasonText "External auto-forwarding is not permitted by company policy." `
-RejectMessageEnhancedStatusCode "5.7.1"Step 5: Reduce the compromises that create bad rules
Blocking forwarding stops the symptom. Anti-phishing and good account hygiene reduce the compromises that create malicious forwarding rules in the first place.
Cut the source of malicious forwarding rules
- Turn on and tune the anti-phishing policy in Defender (mailbox intelligence, impersonation protection)
- Enforce MFA on every account so a phished password isn't enough on its own
- Enable alerts for new inbox forwarding/redirect rules so you're notified when one is created
- Review the restricted users and risky sign-ins in the Defender and Entra portals
- Re-run the forwarding audit periodically, not just once
Anti-phishing policies don’t block forwarding directly, but they cut down the account takeovers that lead to it, and Defender can alert you when a suspicious forwarding rule appears. Pair that detection with the forwarding block and you cover both prevention and response.
How this connects to the rest of mail flow
External forwarding controls sit alongside the other mail flow settings you manage in Exchange Online. If you’re chasing a case where mail seems to vanish from a mailbox, a hidden forwarding rule is one of the things to check — the guide to fixing email not sending or receiving covers using message trace and inbox-rule checks to find where mail is actually going. And if you’re setting up team addresses, doing it with a properly delegated shared mailbox in Microsoft 365 is safer than having one person forward a copy of everything to the team.
Wrapping up
Uncontrolled external auto-forwarding is a quiet data leak and a favourite attacker trick, so the secure default is to block it. Set the outbound spam policy’s automatic forwarding to Off explicitly, carve out exceptions with a scoped policy for the few accounts that genuinely need it, and add a mail flow rule for an extra layer and clearer bounce messages. Audit what’s already forwarding before you enforce the block so you don’t break legitimate setups blind.
Then close the loop on the root cause: enforce MFA, tune anti-phishing, and turn on alerts for new forwarding rules. Blocking the forwarding handles the symptom; cutting account compromise handles the cause.
