Exchange Online: Blocking Auto-Forward Messages to External Recipients

Background:

Every now and then, we are presented with the question: "How do we prevent internal messages from being Auto-Forwarded to external recipients?" which usually follows with us reviewing a transport rule or several other creative methods that fail to stop forwarding externally.

The "catch" with Auto-Forwarded messages is that you want to focus more on the destination of the Auto-Forward message rather than the source, in this case, the external recipient we're trying to prevent from receiving our email. The user with the Auto-Forward configured is not considered the "sender" of the forwarded message in the transport layer. That configuration just instructs Transport on how/where to deliver a copy of the message that is sent to them before it even touches their mailbox. When you try to scope the rule to the original intended recipient or sender, the rule will not function in the manner you are intending because it fails to address the origin or the destination of Auto-Forwarded message and often assumes that the intended recipient is also the source of the message, in error.

As a result of this common confusion, below are the methods that I would use for testing and implementing this restriction in my own environment. If enough people want a deeper dive into the supporting technology, let me know in the comments and I can revise this.

Scoped Method:

Prior to implementing a global change in production, it's wise to scope it to test users initially to verify that it works as desired. Below is how to properly scope the rules.

1. Create New Rule

2. *Apply this rule if...

  • 1. The sender is located... "Inside the organization"
  • 2. The recipient is located... Put the external destination's email address or define their Contact in this field
  • 3. The message type is... "Auto-Forward"

3. Choose your desired action (NDR/Forward etc etc), I chose to reject the message with an explanation

Global Method:

Once you're sure that this rule is acting accordingly to Auto-Forward messages destined externally, you can implement into production by doing the following.

1. Create New Rule

2. *Apply this rule if...

  • 1. The sender is located... "Inside the organization"
  • 2. The recipient is located... "Outside the organization"
  • 3. The message type is... "Auto-Forward"

3. Choose your desired action (NDR/Forward etc etc), I chose to reject the message with an explanation.

 

I hope this helps

-Mitchel