Friday, March 2, 2018

Check those Office 365 email forwards

One of the most common tasks that hackers perform after they have compromised accounts in Office 365 (usually via a poor password or phishing attack) is to set up an email forwarding rule on mailboxes so they receive a copy of emails to that user.

Thus, it is good security practice to ensure that you are aware of all the email forwarding configurations that are enabled on your tenant. To do this you simply need to run the following PowerShell command once you have connected to Exchange Online:

Get-Mailbox | select UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward

This will produce a result like:

image

which tells you whether forwarding has been enabled and to which address emails are being sent. Obviously, if you don;t recognise any of these you should investigate further.

There are plenty of ways to run this script on a regular basis but I’m not going to cover that here.