M365 Security: Unauthorized Mailbox Forwarding Auditor

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

A classic BEC tactic involves configuring an inbox rule to forward emails to an external address. This script audits an entire Exchange Online tenant for any mailboxes with active forwarding rules to external domains.

1. The Workflow

The script performs the following steps:

Connection: Authenticates to Exchange Online via module parameters.
Auditing: Iterates through all user mailboxes checking forwarding properties.
Evaluation: Compares the forwarding destination against the tenant’s accepted domains.
Alerting: Outputs a high-priority warning if external exfiltration is detected.

2. The Implementation

Connect-ExchangeOnline -ShowBanner:$false
$AcceptedDomains = (Get-AcceptedDomain).Name

foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) {
 if ($Mailbox.ForwardingSmtpAddress) {
 $ForwardDestination = $Mailbox.ForwardingSmtpAddress.Replace("smtp:","")
 if ($ForwardDestination -notmatch ($AcceptedDomains -join "|")) {
 Write-Host "⚠️ EXTERNAL FORWARD: $($Mailbox.UserPrincipalName) -> $ForwardDestination" -ForegroundColor Red
 }
 }
}

Zero-Touch M365 Offboarding with n8n, Docker, and PowerShell

Sun, 03 May 2026 00:00:00 +0000

Overview

In a Managed Service Provider (MSP) environment, manual offboarding is a massive liability. Missing a step when revoking access can lead to data breaches, compliance violations, and wasted licensing costs.

This guide outlines an architectural approach to “Zero-Touch” offboarding, leveraging a self-hosted n8n instance running in Docker to trigger a robust PowerShell workflow that interacts directly with the Microsoft Graph API.

The Architecture