Check your AutoForwards
We’re seeing an increase in phishing attempts leading to stealing of credentials and then on to ex-filtrating data out of Exchange, on-premise or Office 365, via AutoForward either at a mailbox level or rule level.
Unless you’ve got a good reason to forward to external email addresses, we’d recommend disabling it altogether, something along the lines of
Set-RemoteDomain Default -AutoForwardEnabled $false
If you want to check what AutoForwards you have currently then look at the following
- AutoForward at a Mailbox Level – Run the following Exchange console command
get-mailbox -Filter { ForwardingAddress -like '*' } | select-object Name,ForwardingAddressUpdate 2018-05-21: Expanded to include both forwarding addresses
Get-Mailbox -Filter {Name -notlike 'DiscoverySearchMailbox*' -and (ForwardingSmtpAddress -ne $null -or ForwardingAddress -ne $null)} | select-object name,*forward* - Forward To Rules on mailboxes
foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> Forward_Rule.txt } - Redirect To Rules on mailboxes
foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> Redirect_Rule.txt }