Microsoft is pushing out more Microsoft 365 security settings that will increase security by default. You need to assess some of these settings for their impact on your business processes.
One of the new Microsoft 365 defaults has to do with email forwarding. As of September 1, Microsoft has changed the defaults on Microsoft 365 ATP external email forwarding controls. Messages that are automatically forwarded outside the organization will be blocked and a non-delivery report (NDR) will be sent to the user.
Attackers know that if they wiggle into a desktop and gain a toehold in Outlook, they can run PowerShell scripts to set up hidden rules to forward emails. I’ve seen a recent attack via email that changed the reply-to address to be someone outside of the organization, redirecting the response to the attacker.
Run the Auto-forwarded messages report to identify which users in your tenant are automatically forwarding messages outside the organization. Then focus on the users with either SMTP forwarding or Inbox rules and plan accordingly. Exchange transport rules (ETRs) are unaffected by this change. Then configure the outbound spam policies to allow automatic external forwarding for either your entire organization or specific users. This change does not affect internal automatic message forwarding.
If you have or plan to set up external forwarding, it will be natively blocked by default going forward. If you require this feature, you will need to take action to continue to do so.