Disable Client-side and OWA forwarding
When a user is compromised, one of the most common actions an attacker implements is an automatic forward on the user’s account. Typically the flow is:
User is compromised > attacker adds a forward to the account so they receive company data and replies to the account > attacker sends out spam/spoofing emails to others in the organisation and try to make lateral movements within the organisation > attacker puts a delete rule on the mailbox so that any emails that are sent back to warn the user is automatically deleted but forwarded on to a mailbox that the attacker controls.
The above is 1 of many flows that an attack may take. Blocking all outbound forwards is a very effective security measure. There is very little reason why outbound forwards should be allowed and the slight convenience does not outweigh the risks.
Block fowarding on the client.
O365 admin portal > EAC
1. Go to rules
2. If the sender is located inside the organisation and the recipient is located outside the organisation and the message is an auto-forward
3. Set action
Block fowarding on OWA.
EAC > Remote domains
1. Go to Remote domains
2. Click default or your custom domain rules if you have setup any.
3. Untick Allow Automatic Forwarding