Office 365 has allowed users to create rules to automatically forward email to external email addresses. This is useful when you want to share certain emails automatically with an external party (for example, e-mails from school being sent to your partner) or send information into another system.
But unfortunately, like many things intended for good, this can also be used for evil. Often automatic forwarding rules can be set up by hackers to extract sensitive information from a company email address and forward it to a third party automatically.
As a result, Microsoft is changing the default “posture” for email forwarding to external recipients to be disabled. This means that users will no longer be able to automatically forward emails to an e-mail address outside their company, unless it is explicitly allowed by an admin. This change comes into effect next Tuesday (1st September).
In a few months, they will also reset the policy for any existing forwards that have not been explicitly allowed under the new rules.
We’re working with our customers that might be affected to help them identify an appropriate policy for their organisation and to put in place sensible defaults.
You can read more about the planned change on the Microsoft 365 Roadmap here.
How we can help
More from the blog
Keeping it secure with 2 Factor Authentication
24 Jun 2019
You might have heard of 2 Factor Authentication (2FA) and maybe even be forced to use it. But what is it, how does it work …
Read more
Share Your IT Thoughts To Win!
10 Jul 2018
We want to know what you think about IT security and software updates. Complete our short survey and go in the draw to win a …
Read more
Did your AI tooling just make that up?
22 Apr 2026
I used to be able to spot an LLM hallucination a mile away. The writing had a whiff about it — too confident, slightly off-topic, …
Read more