Skip to main content

The first thing attackers do once they get access to a mailbox account is set up a mailbox forwarding rule that allows them to exfiltrate sensitive data to an external email address and use it for malicious purposes. So it’s essential to scan your environment and see if any rules are active and are not set up for such intentions. In this article, you will learn how to get mailbox forwarding rules in Microsoft 365 – Exchange Online with PowerShell.

External forwarding in Microsoft 365

The external forwarding is by default disabled in Microsoft 365, and you should keep it that way. But, if there are some reasons that external forwarding needs to be enabled, you should create an outbound policy and select the users and groups that are granted to forward external mail.

Important: Create an outbound policy that only selected users and groups are able to forward external mail.

The following types of automatic forwarding are available in Microsoft 365:

  • Users can configure Inbox rules to automatically forward messages to external senders
  • Admins can configure mailbox forwarding (also known as SMTP forwarding) to automatically forward messages to external recipients. The admin can choose whether to simply forward messages, or keep copies of forwarded messages in the mailbox.

Connect to Exchange Online PowerShell

Before you start, you have to Connect to Exchange Online PowerShell. Otherwise, the commands will not work.

Get mailbox forwarding rules for a single user

To get the mailbox forwarding rules for a single user.

Get-Mailbox "Amanda.Morgan@exoip.com" | Where { ($_.ForwardingAddress -ne $null) -or ($_.ForwardingsmtpAddress -ne $null) } | ft DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

The output will appear like this.

DisplayName   UserPrincipalName       ForwardingAddress ForwardingSmtpAddress         DeliverToMailboxAndForward
-----------   -----------------       ----------------- ---------------------         --------------------------
Amanda Morgan Amanda.Morgan@exoip.com                   smtp:external_email@gmail.com                       True

Get mailbox forwarding rule for all users

To get the mailbox forwarding rules for all users

Get-Mailbox -ResultSize Unlimited | Where { ($_.ForwardingAddress -ne $null) -or ($_.ForwardingsmtpAddress -ne $null) } | ft DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

The output will show like this.

DisplayName    UserPrincipalName        ForwardingAddress ForwardingSmtpAddress          DeliverToMailboxAndForward
-----------    -----------------        ----------------- ---------------------          --------------------------
Amanda Morgan  Amanda.Morgan@exoip.com                    smtp:Plato@gmail.com                                 True
Phil Peters    Phil.Peters@exoip.com                      smtp:Socrates@gmail.com                              True
SharedMailbox1 sharedmailbox1@exoip.com                   smtp:Jonathan.Fisher@exoip.com                       True
SharedMailbox2 sharedmailbox2@exoip.com                   smtp:Aristotle@gmail.com                            False

Mailbox forwarding PowerShell report script

It’s best to export a mailbox forwarding rules report to finish it all.

To get a report in an interactive table in a separate window, let’s use the Out-GridView cmdlet. Also, let’s export it to a CSV file in the folder path C:\temp.

# Connect Exchange Online PowerShell
Connect-ExchangeOnline

# Change the export path to your desired location
$exportPath = "C:\temp\ForwardingAddress.csv"  

# Retrieve mailboxes with forwarding addresses
$mailboxes = Get-Mailbox -ResultSize Unlimited | Where-Object { $_.ForwardingAddress -ne $null -or $_.ForwardingSmtpAddress -ne $null }

# Select the desired properties for display
$mailboxProperties = $mailboxes | select DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

# Show the results in an Out-GridView
$mailboxProperties | Out-GridView -Title "Mailboxes with Forwarding Addresses"

# Export all the data to a CSV file
$mailboxProperties | Export-Csv -Path $exportPath -NoTypeInformation -Encoding UTF8

Write-Host "Mailbox data has been exported to $exportPath" -ForegroundColor Green

This is how it looks in the separate window.

How to get mailbox forwarding rules in Microsoft 365 Out-GridView

Let’s open the CSV file.

How to get mailbox forwarding rules in Microsoft 365 CSV export

That’s it!

Leave a Reply