M365 Security: Unauthorized Mailbox Forwarding Auditor

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

A classic BEC tactic involves configuring an inbox rule to forward emails to an external address. This script audits an entire Exchange Online tenant for any mailboxes with active forwarding rules to external domains.

1. The Workflow

The script performs the following steps:

Connection: Authenticates to Exchange Online via module parameters.
Auditing: Iterates through all user mailboxes checking forwarding properties.
Evaluation: Compares the forwarding destination against the tenant’s accepted domains.
Alerting: Outputs a high-priority warning if external exfiltration is detected.

2. The Implementation

Connect-ExchangeOnline -ShowBanner:$false
$AcceptedDomains = (Get-AcceptedDomain).Name

foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) {
 if ($Mailbox.ForwardingSmtpAddress) {
 $ForwardDestination = $Mailbox.ForwardingSmtpAddress.Replace("smtp:","")
 if ($ForwardDestination -notmatch ($AcceptedDomains -join "|")) {
 Write-Host "⚠️ EXTERNAL FORWARD: $($Mailbox.UserPrincipalName) -> $ForwardDestination" -ForegroundColor Red
 }
 }
}

Exchange Online on Alfred van Ster

M365 Security: Unauthorized Mailbox Forwarding Auditor

1. The Workflow

2. The Implementation