Query Details

Defender for Office 365 - Anti-spam outbound policy - AutoForwardingMode

MDO Auto Forwarding Mode

Query

OfficeActivity
| where Operation == @"Set-HostedOutboundSpamFilterPolicy"
| mv-expand parse_json(Parameters)
| extend Setting = parse_json(Parameters)["Name"]
| extend Configuration = parse_json(Parameters)["Value"]
| where Setting == "AutoForwardingMode"
| extend Description = case(
        Configuration == "Automatic", "System-controlled: Default value. Same as Off — forwarding is disabled.",
        Configuration == "On", "Forwarding is enabled: Automatic external forwarding is allowed and not restricted.",
        Configuration == "Off", "Forwarding is disabled: Automatic external forwarding is blocked and results in an NDR to the sender.",
        "Unknown"
    )
| project TimeGenerated, Setting, Configuration, Description

About this query

Explanation

This KQL query is designed to monitor changes in the AutoForwardingMode setting of outbound anti-spam policies in Microsoft Defender for Office 365. Here's a simple breakdown of what the query does:

  1. Identify Changes: It looks for operations where the outbound spam filter policy is modified, specifically focusing on the "AutoForwardingMode" setting.

  2. Extract Information: The query extracts the current configuration value of AutoForwardingMode, which can be "Automatic," "On," or "Off."

  3. Provide Descriptions: Based on the configuration value, it provides a human-readable description:

    • "Automatic": Forwarding is system-controlled and effectively disabled.
    • "On": Forwarding is enabled, allowing automatic external forwarding.
    • "Off": Forwarding is disabled, blocking automatic external forwarding and resulting in a non-delivery report (NDR) to the sender.
  4. Display Results: The query projects relevant information such as the time of change, setting name, configuration value, and description.

Additionally, the query checks for email events with forwarding information, extracting details like forwarding type, forwarding user, sender's IP address, and geographical location based on the IP address.

Overall, this query helps administrators monitor and understand changes to email forwarding settings, which can be crucial for security and compliance purposes.

Details

Alex Verboon profile picture

Alex Verboon

Released: March 16, 2026

Tables

OfficeActivityCloudAppEventsEmailEvents

Keywords

DefenderOfficeEmailForwardingPolicyConfigurationActivitySenderRecipientIPAddressCountry

Operators

wheremv-expandparse_jsonextendcaseprojectisnotemptycoalescegeo_info_from_ip_addresstostring

MITRE Techniques

Actions

GitHub