Microsoft 365 — Allowing Automatic Email Forwards
Beginning late 2020, Exchange Online in Microsoft 365 will block autoforwarding to external addresses. “Autoforwarding” includes a forwarding address on a mailbox or forwarding via an Inbox rule. This is to prevent data exfiltration as one means that an attacker can use to gather data from a compromised mailbox. (Manual forwarding of individual messages via the email client is unaffected.)
Messages which are forwarded in this way will fail and the sender will receive a non-delivery report (NDR) containing “Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)'”.
This behaviour is controlled through two settings:
- Outbound spam policy; and
By default, the remote domain settings allow forwarding, but the specific change that now blocks forwarding is in the outbound spam policy where the setting has been changed to Automatic (as opposed to On or Off) and the meaning of Automatic has changed from On to Off.
To enable forwarding, open Anti-Spam Settings in the Office 365 Security & Compliance portal. Edit the Outbound Spam Filter Policy to set Automatic Forwarding to On.
This setting enables all forwarding for all mailboxes across the entire tenancy.
If you wish more granular control, you can allow forwarding to specific domains on a case-by-case basis. To do this, leave the Automatic Forwarding option as On. Then, in the Exchange Admin Centre, click into Remote Domains. Change the properties of Default (*) to disable Allow automatic forwarding. Then add a new remote domain (as *.domain.com) and leave Allow automatic forwarding enabled.
In PowerShell, this can be done as follows:
- Connect to Office 365.
Set-HostedOutboundSpamFilterPolicy "Default" -AutoForwardingMode "On"
Set-RemoteDomain Default -AutoForwardEnabled $false
New-RemoteDomain -DomainName *.domain.com -Name "domain.com"
Set-RemoteDomain "domain.com" -AutoForwardEnabled $true