Using VitalSigns to Audit Office 365 Mail Forwarding Rules

VitalSigns offers a feature called Office 365 Mailboxes & Users which offers several different ways of viewing information about how mail is used in your O365 tenant. One common concern shared by many organizations is the multitude of ways that end users can automatically forward their mail to external email addresses. Sometimes forwarding makes perfect sense, such as when a support@ email is forwarded to a ticketing system but other times such forwarding could represents an unauthorized distribution of proprietary information.

O365 offers three ways to forward email:

1) forwardingSMTPAddress property

Set in OWA by selecting Options – Mail – Accounts – Forwarding or via PowerShell.

2) Inbox and sweep rules

Set in OWA by selecting Options – Mail – Inbox and sweep rules or in Outlook by selecting File – Manage Rules & Alerts

3) forwardingAddress property

Set via the O365 EAC Recipients – Mailboxes – Mailbox features – Delivery Options

Office 365 Mailboxes & Users Page

In the Office 365 Mailboxes & Users page, Mailboxes tab VitalSigns displays a grid populated with all the key attributes of all the mailboxes in your tenant. Among these attributes is all the ways that end users can forward their mail and what the current values are. In this way you can very easily identify which mailboxes are forwarding mail, where the forwarded mail is going, and what method of forwarding was used to to set it up.

Don’t get caught surprised when your Corporate Compliance/Security Officer asks you about mail forwarding– use VitalSigns in advance to make sure nothing critical is leaking out of your organization!

Office 365 mailboxes & users

If you do find something that seems out of place, you can easily disable it right within VitalSigns by selecting the appropriate PowerScript – no additional credentials or PowerShell scripting knowledge required. This mailbox action will be written to the VitalSigns PowerScripts log and is fully auditable after the fact.


Office 365 PowerShell Commands

For more information on VitalSigns Office 365 monitoring contact or view our documentation: Office 365 Monitoring


Leave a Reply