CISA.MS.EXO.1.1 - Automatic forwarding to external domains SHALL be disabled.
Overviewβ
Automatic forwarding to external domains SHALL be disabled.
Rationale: Adversaries can use automatic forwarding to gain persistent access to a victim's email. Disabling forwarding to external domains prevents this technique when the adversary is external to the organization but does not impede legitimate internal forwarding.
Remediation action:β
To disable automatic forwarding to external domains:
- Sign in to the Exchange admin center.
- Select Mail flow, then Remote domains.
- Select Default.
- Under Email reply types, select Edit reply types.
- Clear the checkbox next to Allow automatic forwarding, then click Save.
- Return to Remote domains and repeat steps 4 and 5 for each additional remote domain in the list.
Related linksβ
- Exchange admin center - Remote domains
- CISA 1 Automatic Forwarding to External Domains - MS.EXO.1.1v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.1.1 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaAutoExternalForwarding |
| Tags | CISA, CISA.MS.EXO.1.1, MS.EXO, MS.EXO.1.1 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaAutoExternalForwarding.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAutoExternalForwarding.ps1