Final Reminder: Office 365 ATP External email forwarding controls and policy change

From Microsoft Corporation

MC221113, Plan For Change, Published date: Aug 28, 2020

Major update: Announcement

Applies To: All

As originally announced in MC218984 (July ’20) automated external email forwarding is a tactic attackers use to exfiltrate data out of an organization. To counter that, we are updating our outbound anti-spam policies. First, we are providing a control to easily enable automatic external forwarding for select people in your organization. Second, we will change the “Automatic” setting to block automatic external forwarding. Internal automatic forwarding of messages will not be impacted by this change.

On September 1st, 2020 the Auto-Forwarding Policy will be enforced for tenants who have configured their policy to “On” or “Off”. For tenants that have made no changes and have no users externally forwarding prior to September 1st 2020 the setting “Automatic” will default to “Off” and automatic forwarding will be disabled. For organizations that have some users externally forwarding prior to September 1st 2020 the setting “Automatic” will default to “On” and we will contact you separately when this will change for your tenant.

NOTE: No action is needed if you don’t want to allow any users to automatically forward messages externally or if no one in your tenant is currently doing so. Additionally, we understand that some organizations already have users automatically forwarding messages outside the organization and we will provide additional time and communications to enable transition to the new policy controls. For these organizations we will communicate via Message center with more details on when the change will impact your specific tenant.

Key points

  • Microsoft 365  Roadmap ID 63831
  • Timing: September 1, 2020
  • Roll-out: tenant level
  • Control type: admin control  
  • Action: review and assess by August 28, 2020

How this will affect your organization

In this initial release we will provide updated controls for administrators to configure their outbound antispam polices, via PowerShell and the Security and Compliance Center console, but will not be enforcing the actions so that administrators have an opportunity to configure the settings first. You will be able to determine who will be allowed to automatically forward email using inbox rules, or SMTP forwarding, outside of the organization.

There is no impact on external forwarding in this update, however automatic forwarding will be disabled based on the policy in a future update currently planned for September 1, 2020 and we will communicate via Message center. Once the policy takes effect messages that are being automatically forwarded outside the organization will be blocked and non-delivery report (NDR) will be sent to the user.
What you need to do to prepare

To prepare for the changes we recommend that all administrators do the following by August 28, 2020.

  1. Use the Auto-forwarded messages report to identify which users in your tenant are automatically forwarding messages outside the organization. Focus on users with either SMTP forwarding or Inbox rules. Exchange transport rules (ETRs) are unaffected by this change.
  2. Configure the outbound spam policies to allow automatic external forwarding for either your entire organization or specific users.

For more information, please see Configuring and controlling external email forwarding in Office 365.