External email forwarding is one of the most common ways data leaves a business without anyone noticing. An attacker compromises an account, sets up a forwarding rule to an external address, and quietly receives a copy of every email. Or a departing employee forwards everything to their personal Gmail.

Blocking it takes about 5 minutes and should be on every M365 tenant.

Why this matters

By default, Microsoft 365 allows users to set up automatic forwarding to any external email address. This means anyone — or any attacker who compromises an account — can silently forward all incoming email to an outside address.

You probably won't notice until the damage is done. The forwarding rule sits in the mailbox settings and doesn't show up in normal email activity.

How to block it

Go to admin.microsoft.com → Exchange admin center → Mail flow → Remote domains.

Click on the Default domain (the one with *).

Under Email reply types, set Automatic forwarding to Disabled.

Click Save.

This blocks all automatic forwarding rules to external domains across your entire tenant. Internal forwarding still works.

Checking for existing forwarding rules

Before you block it, check if anyone currently has forwarding set up. Some might be legitimate.

In the Exchange admin center, go to Mail flow → Message trace. Run a trace for the last 7 days and filter by forwarding.

Or use PowerShell: Get-Mailbox -ResultSize Unlimited | Where-Object {$_.ForwardingSmtpAddress -ne $null} — this shows all mailboxes with forwarding rules.

Review the results. If someone legitimately needs forwarding (rare), set it up as a transport rule with explicit approval rather than a user-level rule.

The alert you should set up

Even after blocking, set up an alert so you know if someone tries.

In the Microsoft 365 Defender portal, go to Policies → Alert policy → Create alert.

Set it to trigger on 'Creation of forwarding/redirect rule'. This catches both the Exchange forwarding and Outlook inbox rules that forward externally.

This is one of the quick wins we configure in the first week of any new managed services engagement. If you want a full email security review, get in touch.