Body
Overview
SMU has disabled automatic email forwarding in Exchange Online to external recipients. This decision aligns with industry best practices and compliance requirements to protect sensitive data and reduce the risk of data exfiltration.
Why Disable Auto-Forwarding?
-
Prevent Data Leakage
Auto-forwarding can inadvertently send confidential or regulated information outside the organization without proper oversight.
-
Reduce Phishing and Account Compromise Risks
Attackers often configure auto-forwarding rules after compromising accounts to silently exfiltrate data..
-
Monitoring
Disabling auto-forwarding ensures that email traffic remains within monitored tools, improving phishing and spam incident detection.
Limited Exceptions
Exceptions may be granted under the following conditions:
-
Vendor or Partner Integration
When a business-critical process requires forwarding to a trusted external domain.
-
Shared Service Accounts
Accounts used for automated workflows that need forwarding for operational continuity.
-
Regulatory or Legal Requirements
Specific compliance scenarios where forwarding is mandated by law or contractual obligation.
Approval Process
- Submit a request via the EIT Helpdesk.
- Provide justification, external recipient details, and risk mitigation measures.
- Approval requires a review from EIT Security.
- Exceptions will be time-bound and reviewed periodically.
Additional Notes
- Forwarding within the organization (internal domains) remains unaffected.
- Users can still manually forward individual emails when necessary.