Who’s Forwarding Emails Outside Your Domain? Here’s Why They Do It and How to Stop Them.
August 9, 2017
4 minute read
In the mind of the average end user, setting up automatic email forwarding rules is a harmless exercise. But for those whose job it is to prevent data breaches and ensure compliance, email forwarding rules, can turn into a nightmare scenario in seconds.
When an employee sets up automatic forwarding to email address outside of your domain, it’s likely for one of three reasons.
1. They’ve Been Targeted By a Phishing Attack
Attackers will enter an employee’s inbox and stealthily turn on email forwarding rules to send all emails to their own inbox.
This is exactly what happened to Middlesex Hospital when attackers compromised the accounts of three employees. Setting up email forwarding rules is a common tactic used by hackers because it is immune to typical responses like resetting users’ passwords.
2. They Seek Convenience
Employees may turn on email forwarding rules accidentally or perhaps to access work emails on devices not managed by the company.
The IT and health departments for Multnomah County are learning this lesson the hard way. An employee enabled an automatic email forwarding rule, which for three months, forwarded all incoming work emails to a personal email address.
The email forwarding rule exposed the electronically protected health information (ePHI) of 1,700 patients. It’s a clear HIPAA violation that will undoubtedly lead to financial consequences.
3. They Have Malicious Intent
Most commonly for financial gain, employees may want to take important information (e.g. a list of sales contacts) with them when they leave a company.
A curious malicious auto-forwarding incident recently happened not between company and employee, but during a divorce. A woman set up email forwarding rules to snoop on the messages of her soon-to-be ex-husband’s email account. She is now facing a federal wiretapping suit.
How to Solve the Email Forwarding Problem with BetterCloud
BetterCloud helps admins audit, remediate, and prevent email forwarding rules from causing data exposures and/or compliance breaches.
Step 1: Use BetterCloud’s canned report to identify employees with email forwarding enabled.
This report will show you the name, email, and forwarding address of every employee with the setting enabled. Sometimes, email forwarding rules are necessary, especially if an employee no longer works for a company and his or her incoming email is deemed important. However, odds are that any employee forwarding email to Gmail, Outlook, or Yahoo is likely sending company emails to a personal address.
Step 2: Where necessary, disable automatic email forwarding rules.
In the new BetterCloud platform, you can disable email forwarding settings for a single user, or if necessary, multiple or all G Suite users in bulk.
Step 3: Set up an alert to notify admins when employees enable automatic email forwarding rules.
In the GIF above, you’ll see that we’ve set the alert threshold to 3. Thresholds are important if there you have a reason for a user to have email forwarding rules configured. In this case, three users can have automatic email forwarding enabled, however, you would be alerted if a fourth user sets it up. This gives you flexibility and will trigger the alert only when necessary.
Step 4: Automatically disable email forwarding settings with Workflows.
It’s impossible to constantly monitor the settings of all your users, and equally impossible to constantly be in a position to take action if an alert is triggered. To deal with this, you need automated policies to act on your behalf in case you can’t. Using the alert configured in step 3, you can set up a workflow, that automatically disables email forwarding settings when they’re turned on. Additionally, you can add a step to the workflow that will send an email via Gmail, a message via Slack, or even create a Zendesk ticket to provide confirmation that the workflow ran.
Bonus Step: Prevent email forwarding to personal inboxes (i.e. addresses ending in gmail.com, outlook.com, yahoo.com)
You can replicate steps 1-4 above to prevent end users from setting up automatic forwarding to personal gmail.com, outlook.com, or yahoo.com address types.