Find all Inbox Rules that forward mail externally from Office 365 using PowerShell
It’s a good idea to be aware of any mailbox level Inbox Rules that automatically forward mail outside of your organisation. Microsoft recommends that these types of rules be disabled by admins by default. Stopping mail from being auto-forwarded even counts towards your Office 365 Secure Score.
Auto-forwarding mail to external contacts can have some legitimate use cases, however it can also be used by hackers and rogue employees to exfiltrate data from your organisation. You can disable this functionality for own tenant and your Office 365 Customers using the PowerShell scripts here.
Whether you’re going to disable this functionality or not, it’s worth checking which users in your organisation are automatically forwarding mail outside of the company. If you do choose to disable this functionality, you should first check to see whether you need to add any exceptions for legitimate rules.
The following scripts will check all mailboxes for these sorts of inbox rules and export details about the rule and the external contacts to a CSV.
The first script is designed to be run on a single Office 365 tenant. The second script is for Microsoft Partners, who can use it to check for these types of Inbox rules on all users in all customer environments.
How to run these scripts
- Double click on either of the scripts below to select it all
- Copy and paste it into Visual Studio Code and save it as a .ps1 file
- Run it by pressing F5
- Enter the credentials of an Office 365 global admin, Exchange admin or delegated administrator. To run these scripts with MFA enabled accounts, you can whitelist your current static IP.
- Wait for the script to complete. If you’re running this across a number of tenants, you’ll probably be waiting a while.
- A CSV of it’s results will be saved to C:\temp\externalrules.csv or C:\temp\customerexternalrules.csv as it processes.
How to check for Inbox Rules that forward externally in a single Office 365 tenant using PowerShell
Function Connect-EXOnline {
$credentials = Get-Credential
Write-Output "Getting the Exchange Online cmdlets"
$Session = New-PSSession -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-ConfigurationName Microsoft.Exchange -Credential $credentials `
-Authentication Basic -AllowRedirection
Import-PSSession $Session
}
Connect-EXOnline
$domains = Get-AcceptedDomain
$mailboxes = Get-Mailbox -ResultSize Unlimited
foreach ($mailbox in $mailboxes) {
$forwardingRules = $null
Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)" -foregroundColor Green
$rules = get-inboxrule -Mailbox $mailbox.primarysmtpaddress
$forwardingRules = $rules | Where-Object {$_.forwardto -or $_.forwardasattachmentto}
foreach ($rule in $forwardingRules) {
$recipients = @()
$recipients = $rule.ForwardTo | Where-Object {$_ -match "SMTP"}
$recipients += $rule.ForwardAsAttachmentTo | Where-Object {$_ -match "SMTP"}
$externalRecipients = @()
foreach ($recipient in $recipients) {
$email = ($recipient -split "SMTP:")[1].Trim("]")
$domain = ($email -split "@")[1]
if ($domains.DomainName -notcontains $domain) {
$externalRecipients += $email
}
}
if ($externalRecipients) {
$extRecString = $externalRecipients -join ", "
Write-Host "$($rule.Name) forwards to $extRecString" -ForegroundColor Yellow
$ruleHash = $null
$ruleHash = [ordered]@{
PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
DisplayName = $mailbox.DisplayName
RuleId = $rule.Identity
RuleName = $rule.Name
RuleDescription = $rule.Description
ExternalRecipients = $extRecString
}
$ruleObject = New-Object PSObject -Property $ruleHash
$ruleObject | Export-Csv C:\temp\externalrules.csv -NoTypeInformation -Append
}
}
}
How to check for Inbox Rules that forward externally in all customer Office 365 tenants using PowerShell
$credential = Get-Credential
Connect-MsolService -Credential $credential
$customers = Get-msolpartnercontract
foreach ($customer in $customers) {
$InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial -eq $true}
Write-Host "Checking $($customer.Name)"
$DelegatedOrgURL = "https://outlook.office365.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
$s = New-PSSession -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection
Import-PSSession $s -CommandName Get-Mailbox, Get-InboxRule, Get-AcceptedDomain -AllowClobber
$mailboxes = $null
$mailboxes = Get-Mailbox -ResultSize Unlimited
$domains = Get-AcceptedDomain
foreach ($mailbox in $mailboxes) {
$forwardingRules = $null
Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)"
$rules = get-inboxrule -Mailbox $mailbox.primarysmtpaddress
$forwardingRules = $rules | Where-Object {$_.forwardto -or $_.forwardasattachmentto}
foreach ($rule in $forwardingRules) {
$recipients = @()
$recipients = $rule.ForwardTo | Where-Object {$_ -match "SMTP"}
$recipients += $rule.ForwardAsAttachmentTo | Where-Object {$_ -match "SMTP"}
$externalRecipients = @()
foreach ($recipient in $recipients) {
$email = ($recipient -split "SMTP:")[1].Trim("]")
$domain = ($email -split "@")[1]
if ($domains.DomainName -notcontains $domain) {
$externalRecipients += $email
}
}
if ($externalRecipients) {
$extRecString = $externalRecipients -join ", "
Write-Host "$($rule.Name) forwards to $extRecString" -ForegroundColor Yellow
$ruleHash = $null
$ruleHash = [ordered]@{
Customer = $customer.Name
TenantId = $customer.TenantId
PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
DisplayName = $mailbox.DisplayName
RuleId = $rule.Identity
RuleName = $rule.Name
RuleDescription = $rule.Description
ExternalRecipients = $extRecString
}
$ruleObject = New-Object PSObject -Property $ruleHash
$ruleObject | Export-Csv C:\temp\customerExternalRules.csv -NoTypeInformation -Append
}
}
}
}
Leave a Reply
Want to join the discussion?Feel free to contribute!