Ensure Defender Outbound Spam Policies are set to disable mail forwarding.
defender_antispam_outbound_policy_forwarding_disabled
Ensure Defender Outbound Spam Policies are set to disable mail forwarding.
Risk
Enabling email auto-forwarding can be exploited by attackers or malicious insiders to exfiltrate sensitive data outside the organization, often without detection.
Run this check with Prowler CLI
prowler m365 --checks defender_antispam_outbound_policy_forwarding_disabled
Remediation
Set-HostedOutboundSpamFilterPolicy -Identity {policyName} -AutoForwardingMode Off
1. Navigate to Microsoft 365 Defender https://security.microsoft.com/. 2. Expand E-mail & collaboration then select Policies & rules. 3. Select Threat policies > Anti-spam. 4. Select Anti-spam outbound policy (default). 5. Click Edit protection settings. 6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save. 7. Repeat steps 4-6 for any additional higher priority, custom policies.
Block all forms of mail forwarding using Anti-spam outbound policies in Exchange Online. Apply exclusions only where justified by organizational policy.
Source Code
Resource Type
Defender Anti-Spam Outbound Policy