Security Manager's Journal: Auto-forwarded emails could be a huge problem

Our intellectual property and sensitive data have been leaving the relatively safe confines of our internal network without adequate security precautions, all because users find it convenient to get their company email in their personal webmail accounts

Recently, a bounce-back message from one of my company's internal email distribution lists led to a startling discovery: People are automatically forwarding their company email offsite to Gmail and other personal webmail services.

It all started when our marketing group set up a meeting using the marketing email distribution list in Outlook. One person then replied to all that she wouldn't be able to attend. She then received the bounce-back message -- from an outside email address. Because she assumed that the error meant there was a problem with our email system, she opened a help desk ticket.

Our email administrator tipped me off to the problem. How could an internal email message result in an error from an outside email service? There's only one explanation: The internal message had been forwarded to an outside email account.

In fact, the webmail service in question was experiencing an outage, resulting in error messages in response to every email sent to its customers.

The important questions for me were, "How did our internal email get outside, and does this sort of thing happen a lot?" The answer to the first question was in Microsoft Outlook, which lets users set up rules to manage email in various ways, including forwarding email to another inbox -- any inbox, in fact, with a valid SMTP email address.

The guilty culprit in this case was the manager of the marketing group. I explained to her that our security policy prohibits internal company data from being sent outside our network, without appropriate security. Her position was that her job required her to keep in touch 24 hours a day, so she found it convenient to get her email in more than one place. She tried to make a case for the importance of mixing personal and business systems, claiming that we all lead what she calls "blended lives" -- meaning that our professional and personal time are mixed together. We take calls from our kids during the workday, make appointments with our dentists, hairdressers and mechanics, and we take calls at night from our management or support staff.

As someone whose workday sometimes seems endless, I have some sympathy for what she was saying, but her argument didn't change my stance. I'm responsible for protecting our data and intellectual property. Auto-forwarding rules just do not allow appropriate protection of information. There are other ways to get company email,including Outlook Web Access and VPN, which are useful for people who are traveling or working from home. I think the only reason our marketing colleague was trying to use webmail was that she is more comfortable with that service than with the services my company provides. But personal comfort can't always override security.

Concerned about who else might be doing the same thing, I asked our email administrator to track down every Outlook account that had set up auto-forwarding rules. Unfortunately, I'm told that there's no way to do that using Microsoft's Exchange software. I thought that there surely must be other ways to detect automatic forwarding that wouldn't involve checking everyone's Outlook settings, but evidently that's not true. The only way to find email rules that have been set up by end users is to examine each account, one by one. That's a big job. So I've added it to my IT request list, along with the other things I need from IT.

Another option might be to detect and quarantine email leaving our network using DLP or something similar. However, it turns out that a huge amount of email goes to webmail accounts each day (mostly for legitimate purposes), so wholesale detection or blocking of webmail cannot help. We simply don't have the staff to comb through every email looking for inappropriate leakage of internal messages.

So, in the meantime, I'll be reinforcing my company's security policy through education and awareness.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securityMicrosoftsecuritydata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place