Office 365 has allowed users to create rules to automatically forward email to external email addresses. This is useful when you want to share certain emails automatically with an external party (for example, e-mails from school being sent to your partner) or send information into another system.
But unfortunately, like many things intended for good, this can also be used for evil. Often automatic forwarding rules can be set up by hackers to extract sensitive information from a company email address and forward it to a third party automatically.
As a result, Microsoft is changing the default “posture” for email forwarding to external recipients to be disabled. This means that users will no longer be able to automatically forward emails to an e-mail address outside their company, unless it is explicitly allowed by an admin. This change comes into effect next Tuesday (1st September).
In a few months, they will also reset the policy for any existing forwards that have not been explicitly allowed under the new rules.
We’re working with our customers that might be affected to help them identify an appropriate policy for their organisation and to put in place sensible defaults.
You can read more about the planned change on the Microsoft 365 Roadmap here.