EXT-07: Detect External Mail Forwarding
Frequently asked questions about implementing and managing the EXT-07 security control in Microsoft 365 and Entra ID.
Free baseline scan · No credit card · 5 minute setup
QWhat is EXT-07 (Detect External Mail Forwarding)?▼
EXT-07 is a security control that attackers commonly set up mail forwarding rules after compromising accounts. these rules silently copy all emails to external addresses, enabling ongoing data theft even after the initial compromise is remediated. It requires that mailbox forwarding rules to external addresses are identified and inbox rules forwarding to external domains are flagged, no unexpected external forwarding rules exist.
QWhy is Detect External Mail Forwarding important for Microsoft 365 security?▼
Attackers commonly set up mail forwarding rules after compromising accounts. These rules silently copy all emails to external addresses, enabling ongoing data theft even after the initial compromise is remediated.
QHow do I implement EXT-07 in my tenant?▼
TrueConfig provides one-click remediation for EXT-07. TrueConfig can disable external auto-forwarding rules in one click (disable_mail_forwarding). The manual alternative is removing forwarding rules via Exchange admin access or the Microsoft Graph Reports API.
QWhat license do I need for EXT-07?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes EXT-07?▼
EXT-07 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial