💼 Management Samenvatting
Blokkeren van automatische email forwarding naar external adressen voorkomt data exfiltration via email forwarding rules gecreëerd door aanvallers of insiders.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
4u (tech: 2u)
Van toepassing op:
✓ M365
✓ Exchange Online
✓ Exchange Online
Email forwarding is populaire data exfiltration technique: aanvaller met compromised mailbox credentials creëert forwarding rule naar external email, alle emails worden automatisch geforward naar attacker (inclusief future emails), blijft actief tot handmatige detectie. Insider threats gebruiken forwarding om bedrijfsgegevens naar persoonlijke email te sturen. Business Email Compromise attacks gebruiken forwarding voor persistent access.
PowerShell Modules Vereist
Primary API: Exchange Online PowerShell
Connection:
Required Modules: ExchangeOnlineManagement
Connection:
Connect-ExchangeOnlineRequired Modules: ExchangeOnlineManagement
Implementatie
Blokkeer automatische forwarding to external domains via Exchange transport rule of outbound spam policy. Configuration: Outbound spam policy → automatische forwarding rules is Blokkeer automatische forwarding. Users kunnen NIET meer forwarding rules maken naar external adressen. Internal forwarding (binnen tenant) blijft allowed. Exception process voor legitimate business needs met approval.
- Connect-ExchangeOnline
- Get-gehosteOutboundSpamFilterPolicy | Set-gehosteOutboundSpamFilterPolicy -AutoForwardingMode Off
- Alternative: Maak aan transport rule blocking external forwarding
- Test: gebruiker probeert forwarding regel maken → moet blocked worden
- Maak aan exception process: approved forwarding via transport rule met specific adressen
- monitor: detecteer existing forwarding rules (Get-Mailbox | Get-InboxRule -MailboxOwnerId)
- Cleanup: remove ungeautoriseerde existing forwarding rules
Vereisten
- Exchange Online subscription
- Exchange Administrator rechten
- ExchangeOnlineManagement PowerShell module
- Exception approval process
Implementatie
- Connect-ExchangeOnline
- Get-gehosteOutboundSpamFilterPolicy | Set-gehosteOutboundSpamFilterPolicy -AutoForwardingMode Off
- Alternative: Maak aan transport rule blocking external forwarding
- Test: gebruiker probeert forwarding regel maken → moet blocked worden
- Maak aan exception process: approved forwarding via transport rule met specific adressen
- monitor: detecteer existing forwarding rules (Get-Mailbox | Get-InboxRule -MailboxOwnerId)
- Cleanup: remove ungeautoriseerde existing forwarding rules
Compliance en Auditing
- CIS M365 - control 2.1.1 (Blokkeer email forwarding)
- BIO 13.02 (Email security)
- ISO 27001:2022 A.13.2.1 (Email policies)
- NIS2 Artikel 21
- AVG Artikel 32 (Voorkom data exfiltration)
Monitoring
Gebruik PowerShell-script mail-forwarding-blocked.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script mail-forwarding-blocked.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- CIS M365: Control 2.1.1 (L1) - Zorg ervoor dat automatische email forwarding is geblokkeerd
- BIO: 13.02 - BIO: Email security - Data exfiltration prevention
- ISO 27001:2022: A.13.2.1 - Information transfer policies
- NIS2: Artikel - Data exfiltration prevention
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Automatic Mail Forwarding Blocked
.DESCRIPTION
Blocks automatic email forwarding to external domains to prevent data exfiltration.
Users should not be able to auto-forward company emails externally.
.NOTES
Filename: mail-forwarding-blocked.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\mail-forwarding-blocked.ps1 -Monitoring
Check if auto-forward blocking is configured
.EXAMPLE
.\mail-forwarding-blocked.ps1 -Remediation
Create transport rule to block auto-forwarding
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Monitoring,
[Parameter(Mandatory = $false)]
[switch]$Remediation,
[Parameter(Mandatory = $false)]
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mail Forwarding Blocked" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks if auto-forward blocking rules exist
#>
try {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host "Checking for auto-forward blocking rules..." -ForegroundColor Gray
$rules = Get-TransportRule | Where-Object {
$_.SentToScope -eq 'NotInOrganization' -and
$_.MessageTypeMatches -eq 'AutoForward'
}
$result = @{
isCompliant = ($rules.Count -gt 0)
blockingRules = $rules.Count
ruleNames = @()
}
if ($rules.Count -gt 0) {
Write-Host " [OK] Auto-Forward Blocking Rules: $($rules.Count)" -ForegroundColor Green
foreach ($rule in $rules) {
Write-Host " • $($rule.Name)" -ForegroundColor Gray
Write-Host " State: $($rule.State)" -ForegroundColor Cyan
Write-Host " Action: $($rule.RejectMessageReasonText)" -ForegroundColor Cyan
$result.ruleNames += $rule.Name
}
}
else {
Write-Host " [FAIL] No auto-forward blocking rules found!" -ForegroundColor Red
Write-Host " Data exfiltration risk - users can forward emails externally" -ForegroundColor Red
}
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - Auto-forwarding is blocked" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Auto-forwarding not blocked!" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Creates transport rule to block auto-forwarding
#>
try {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host "Checking for existing rules..." -ForegroundColor Gray
$existing = Get-TransportRule | Where-Object {
$_.Name -eq 'Block Auto-Forward to External - NL Baseline'
}
if ($existing) {
Write-Host " [OK] Auto-forward blocking rule already exists" -ForegroundColor Green
exit 0
}
Write-Host "Creating auto-forward blocking rule..." -ForegroundColor Gray
$ruleParams = @{
Name = 'Block Auto-Forward to External - NL Baseline'
SentToScope = 'NotInOrganization'
MessageTypeMatches = 'AutoForward'
RejectMessageReasonText = 'Automatic forwarding to external addresses is blocked for security reasons. Contact IT if you need an exception.'
Comments = 'Nederlandse Baseline voor Veilige Cloud - Prevents data exfiltration via auto-forwarding'
}
New-TransportRule @ruleParams -ErrorAction Stop
Write-Host "`n[OK] Auto-forward blocking rule created" -ForegroundColor Green
Write-Host "`nWhat this blocks:" -ForegroundColor Cyan
Write-Host " • Inbox rules forwarding to external addresses" -ForegroundColor Gray
Write-Host " • Client-side forwarding rules" -ForegroundColor Gray
Write-Host " • Automatic forwards set by users" -ForegroundColor Gray
Write-Host "`nWhat this allows:" -ForegroundColor Cyan
Write-Host " • Manual forwarding (user clicks Forward)" -ForegroundColor Gray
Write-Host " • Internal forwarding (within organization)" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
<#
.SYNOPSIS
Removes auto-forward blocking rule
#>
try {
Write-Host "⚠️ WARNING: Removing this rule allows data exfiltration!" -ForegroundColor Yellow
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$rule = Get-TransportRule | Where-Object {
$_.Name -eq 'Block Auto-Forward to External - NL Baseline'
}
if ($rule) {
Remove-TransportRule -Identity $rule.Identity -Confirm:$false -ErrorAction Stop
Write-Host " ⚠️ Auto-forward blocking rule removed" -ForegroundColor Yellow
}
else {
Write-Host " Rule not found" -ForegroundColor Gray
}
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Revert) {
Invoke-Revert
}
elseif ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " -Monitoring Check for blocking rules" -ForegroundColor Gray
Write-Host " -Remediation Create blocking rule" -ForegroundColor Gray
Write-Host " -Revert Remove blocking rule (NOT RECOMMENDED!)" -ForegroundColor Red
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: High - Data exfiltration via email forwarding rules: alle emails (current + future) geforward naar attacker. BEC attacks gebruiken dit voor persistent access. Insider threats sturen bedrijfsdata naar personal email. Silent Gegevenslek zonder detectie.
Management Samenvatting
Blokkeer automatische email forwarding to external adressen. voorkomt data exfiltration via forwarding rules. Configureer via outbound spam policy. Voldoet aan CIS 2.1.1 L1, BIO 13.02, AVG 32. Setup: 2u.
- Implementatietijd: 4 uur
- FTE required: 0.03 FTE