How to get mailbox forwarding rules in Microsoft 365

The first thing attackers do once they get access to a mailbox account is set up a mailbox forwarding rule that allows them to exfiltrate sensitive data to an external email address and use it for malicious purposes. So it’s essential to scan your environment and see if any rules are active and are not set up for such intentions. In this article, you will learn how to get mailbox forwarding rules in Microsoft 365 – Exchange Online with PowerShell.

Table of contents

External forwarding in Microsoft 365

The external forwarding is by default disabled in Microsoft 365, and you should keep it that way. But, if there are some reasons that external forwarding needs to be enabled, you should create an outbound policy and select the users and groups that are granted to forward external mail.

Important: Create an outbound policy that only selected users and groups are able to forward external mail.

The following types of automatic forwarding are available in Microsoft 365:

  • Users can configure Inbox rules to automatically forward messages to external senders
  • Admins can configure mailbox forwarding (also known as SMTP forwarding) to automatically forward messages to external recipients. The admin can choose whether to simply forward messages, or keep copies of forwarded messages in the mailbox.

Connect to Exchange Online PowerShell

Before you start, you have to Connect to Exchange Online PowerShell. Otherwise, the commands will not work.

Get mailbox forwarding rules for a single user

To get the mailbox forwarding rules for a single user.

Get-Mailbox "Amanda.Morgan@exoip.com" | Where { ($_.ForwardingAddress -ne $null) -or ($_.ForwardingsmtpAddress -ne $null) } | ft DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

The output will appear like this.

DisplayName   UserPrincipalName       ForwardingAddress ForwardingSmtpAddress         DeliverToMailboxAndForward
-----------   -----------------       ----------------- ---------------------         --------------------------
Amanda Morgan Amanda.Morgan@exoip.com                   smtp:external_email@gmail.com                       True

Get mailbox forwarding rule for all users

To get the mailbox forwarding rules for all users

Get-Mailbox -ResultSize Unlimited | Where { ($_.ForwardingAddress -ne $null) -or ($_.ForwardingsmtpAddress -ne $null) } | ft DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

The output will show like this.

DisplayName    UserPrincipalName        ForwardingAddress ForwardingSmtpAddress          DeliverToMailboxAndForward
-----------    -----------------        ----------------- ---------------------          --------------------------
Amanda Morgan  Amanda.Morgan@exoip.com                    smtp:Plato@gmail.com                                 True
Phil Peters    Phil.Peters@exoip.com                      smtp:Socrates@gmail.com                              True
SharedMailbox1 sharedmailbox1@exoip.com                   smtp:Jonathan.Fisher@exoip.com                       True
SharedMailbox2 sharedmailbox2@exoip.com                   smtp:Aristotle@gmail.com                            False

Mailbox forwarding PowerShell report script

It’s best to export a mailbox forwarding rules report to finish it all.

To get a report in an interactive table in a separate window, let’s use the Out-GridView cmdlet. Also, let’s export it to a CSV file in the folder path C:\temp.

# Connect Exchange Online PowerShell
Connect-ExchangeOnline

# Change the export path to your desired location
$exportPath = "C:\temp\ForwardingAddress.csv"  

# Retrieve mailboxes with forwarding addresses
$mailboxes = Get-Mailbox -ResultSize Unlimited | Where-Object { $_.ForwardingAddress -ne $null -or $_.ForwardingSmtpAddress -ne $null }

# Select the desired properties for display
$mailboxProperties = $mailboxes | select DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

# Show the results in an Out-GridView
$mailboxProperties | Out-GridView -Title "Mailboxes with Forwarding Addresses"

# Export all the data to a CSV file
$mailboxProperties | Export-Csv -Path $exportPath -NoTypeInformation -Encoding UTF8

Write-Host "Mailbox data has been exported to $exportPath" -ForegroundColor Green

This is how it looks in the separate window.

How to get mailbox forwarding rules in Microsoft 365 Out-GridView

Let’s open the CSV file.

How to get mailbox forwarding rules in Microsoft 365 CSV export

That’s it!

Read more: Send from Alias in Office 365 »

Conclusion

You learned how to get mailbox forwarding rules with PowerShell in Microsoft 365. Always check if there are mailboxes with external forwarding set up in the organization and block the accounts if you see any suspicious activity.

Did you enjoy this article? You may also like Add tag to external emails in Microsoft 365 for extra security. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *