Checking Microsoft 365 Email Forwarding using PowerShell

A typical tactic after a business email compromise event is the creation of email forwarding rules using any one, or more, of these methods by an attacker:

Use rules in Outlook Web App to automatically forward messages to another account

Client rules


It is therefore good practice to regularly check and verify the email forwarding rules inside your Microsoft 365 environment.

I have created a free PowerShell script exactly for this purpose, which you can find here:

Office365/o365-exo-fwd-chk.ps1 at master · directorcia/Office365 · GitHub

and the video:

will provide a walk through of its execution.

Providing feedback on user reported messages

Hopefully, you are aware that Microsoft 365 provides users the ability to report a suspected email. I have spoken about this here:

Improved security is a shared responsibility


What you may not be aware of is that these submissions can viewed and action in the Microsoft Security Center:

under the Submissions menu option as shown above.

You may also not be aware that there are further actions you can take in here:


You can provide feedback directly to the user about their submission using the Mark as an notify option as shown above.


Doing so will send the user an email, like that shown above, to provide feedback about that submission for the user. Doing provides important reinforcement of users remaining vigilant as well as helping them better identify threats.


 You’ll also find actions you can take on that message that will provide feedback directly to Microsoft, as shown above.


Even better, if you go into Policies & rules | Threat Policies | User submissions you are able to customise what is sent to the user, both before and after reporting as shown above.

For more information on these capabilities visit:

Admin review for reported messages

Getting users involved in security is important. Part of that is providing them feedback and recognition of their contribution, no matter how small. Using these capabilities for reported messages, you are able to do that quickly and easily.

A little bit more security

Security is never an absolute and is largely about defence in depth. That is, adding more layers of protection. With this in mind, I was recently made aware of this little gem that can help provide just a little more protection for inbound emails, especially against inbound malicious attachments.


Exchange Online has a Malware policy that you can configure. You’ll find it in the Microsoft 365 security center under policies. When you edit that policy, as shown above, you’ll see an option for Common attachment types filter. You should ensure that this is set to On. If so, you can then select the Choose type button to select which attachment types will be blocked.


You’ll see there are about ten default file types that will be blocked. What you may not be aware of is that if you press the Add button at the top of the page, as shown above,


There are an additional 86 file types that Microsoft allows you to directly add.


Just select them all and Add them.


You should then see a total of 96 file types listed in the policy as shown.

I was a little puzzled why Microsoft wouldn’t have added more of the 86 optional files types to the standard 10? Most of the option 86 seem to be developer focused so maybe that is why? Many of the optional 86 are quite antiquated but that doesn’t mean they couldn’t be used somehow to compromise an environment. Thus, it is therefore probably a very good idea to block all these 86 option file types on top of the default 10 it seems.

I also had a quick look at what all these filetype typically refer to and provide this summary for you:

– ade

– adp

– asp

– bas

– bat

– cer

– chm

– cmd

– com

– cpl

– crt

– csh

– der

– dll

– dos

– fxp

– gadget

– hlp

– Hta

– Inf

– Ins

– Isp

– Its

– js

– Jse

– Ksh

– Lnk

– mad

– maf

– mag

– mam

– maq

– mar

– mas

– mat

– mau

– mav

– maw

– mda

– mdb

– mde

– mdt

– mdw

– mdz

– msc

– msh

– msh1

– msh1xml

– msh2

– msh2xml

– mshxml

– msi

– msp

– mst

– obj

– ops

– os2

– pcd

– pif

– plg

– prf

– prg

– ps1

– ps1xml

– ps2

– ps2xml

– psc1

– psc2

– pst

– rar

– scf

– sct

– shb

– shs

– tmp

– url

– vb

– vsmacros

– vsw –

– vxd –

– w16 –

– ws –

– wsc –

– wsf –

– wsh –

– xnk –

Thus, I’d recommend you update your Exchange Online policy to include the complete of file types that Microsoft provides protection for, even if most aren’t enabled.