Defender Outbound Spam policy disables mail forwarding
defender_antispam_outbound_policy_forwarding_disabled
Microsoft Defender for Office 365 outbound spam policies are evaluated to confirm that automatic mail forwarding is disabled in the default policy and in any custom policies applied to users, groups, or domains.
Risk
Allowing automatic forwarding enables covert data exfiltration, eroding confidentiality. Attackers or insiders can auto-route mail to external inboxes, persist access, evade monitoring, and harvest sensitive content (tickets, approvals, MFA codes), enabling lateral movement and fraud while reducing auditability.
prowler m365 --checks defender_antispam_outbound_policy_forwarding_disabled
Recommendation
Disable automatic forwarding globally in outbound spam policies to enforce least privilege on data flows. If exceptions are required, restrict to named senders or domains, document approvals, and review regularly. Add DLP, alerts on new forwarding rules, and mailbox auditing for defense in depth.
Remediation
Set-HostedOutboundSpamFilterPolicy -Identity <policyName> -AutoForwardingMode Off
- Sign in to https://security.microsoft.com
- Go to Email & collaboration > Policies & rules > Threat policies > Anti-spam
- Open Anti-spam outbound policy (Default) or the target custom policy
- Click Edit protection settings and set Automatic forwarding rules to Off - Forwarding is disabled, then Save
- For custom policies, ensure the policy Status is On (enabled); repeat for any additional policies
Source Code
Resource Type
NotDefined