📧 Protect your email: Turn off mailbox auto-forwarding!

🚨 What is the risk?

• Monitoring by attackers: Attackers use auto-forwarding to intercept emails undetected and gain access to sensitive data. 📥
• Sensitive information leaks: Think internal strategies, financial information or customer data that just falls into the wrong hands. 😱

 

 

💡 What can you do yourself?

1. Check that forwarding is enabled:
   • Go to your Outlook Web App (via browser)¹.
   • Click Settings (cog icon at top right).
   • Search for Rules for Inbox or Forwarding.
   • Check if a rule is set to automatically forward emails.
2. Disable forwarding:
   • Select the forwarding rule.
   • Click Remove or Disable.
   • Save the changes.

 

 

✅ How do you protect your organization?

• Get insight into forwarding addresses: Check which accounts use forwarding rules and set policies that allow only internal forwarding. 👁️
• Disable mailbox auto-forwarding: By turning this feature off, you prevent emails from being automatically forwarded to external accounts. This makes it a lot harder for attackers to monitor communications². 🔒
• Limit forwarding rules: Make sure forwarding is allowed only within the organization. That way you keep control over where emails go. 👨‍💻

 

 

🎯 Benefits of switching off:

• Increased security against data breaches and phishing attacks. 🛡️
• Compliance with regulations, such as AVG/GDRP and ISO 27001 by keeping data within the organization. 📜
• Reduced risk of reputational damage from data breaches. 🌟

 

 

What does ISO 27001 say about this?

• Risk management: ISO 27001 requires organizations to identify and manage risks. Automatic forwarding to private addresses increases the risk of data breaches and loss of control over data.
• Security policies: Organizations should establish policies for the use and management of business e-mail. These policies can restrict or prohibit forwarding to private addresses.
• Access Control (Annex A.9): Only authorized access to data is allowed. Private mailboxes are usually beyond the control of the organization.
• Data breach prevention (DLP): Automatic forwarding can lead to the sharing of sensitive information without adequate protection.

 

Is it allowed?

It may be allowed, but only under strict conditions:

• Management approval: automatic forwarding must be explicitly approved.
• Encryption and security: Data must be secure in transmission and storage.
• Restrictions on forwarding: Only non-sensitive information should be forwarded.
• Monitoring and logging: Forwarding activities should be monitored.

 

Recommendation

Many organizations choose to completely disable automatic forwarding to external addresses to minimize risk and ensure compliance. This often fits better within an ISO 27001 framework. Take action today and make sure your email traffic stays secure! If you need help, feel free to contact us.

 

👉 Tip: Review your current settings and implement this change as a default policy in your organization.

 

 

References

 

¹https://outlook.office.com/mail/options/mail/rules ²https://support.microsoft.com/nl-nl/office/stop-auto-forwarding-emails-in-office-365-business-premium-7224ae95-ac5d-4454-9f21-2f4d1a17eb79

 

 

About the author

My name is Alta Martes, a specialist in Microsoft 365 and Google Workspace, with a focus on modern workplace management, cloud security and identity & access management. With years of experience, I help organizations optimize their IT infrastructure and create a secure, efficient digital workplace. 🎯 Need help with your Microsoft 365 strategy?
Click below and find out how we can support your organization:

Schedule a no-obligation consultation