Learn how to stop external Outlook email forwarding, to protect sensitive data, and prevent unauthorized sharing of internal communications.
.png)
Start tracking smarter. Download your free Internal Comms Metric Guide now!
Access NowForwarding an email feels harmless — until it isn’t. The fact is, when internal messages are pushed outside the organization (manually or via auto-forwarding rules), they can expose sensitive plans, employee data, or regulated information and create a paper trail you don’t control. Industry evidence shows why this matters.
Verizon’s 2024 Data Breach Investigations Report ranks “misdelivery” (sending email to the wrong recipient) among the top human error varieties in breaches, underscoring how quickly ordinary email handling can become a data-loss event. The report reveals that in the past couple of years, more than half of all errors were due to misdelivery. Furthermore, they have found 87% of errors can be traced to end-users.
“We can always count on people making mistakes. The categories of mistakes they make are consistent year over year, and while some Error varieties have been decreasing, the ranking of frequency remains the same.” Verizon
Microsoft explicitly advises admins to control or block automatic external forwarding in Exchange Online because attackers commonly abuse forwarding rules for silent exfiltration.
“Email forwarding can be useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners.” Microsoft
Regulators echo the risk. The UK Information Commissioner’s Office (ICO.) tracks misdirected email as a persistent cause of reported incidents across sectors. Beyond compliance optics, the financial impact is real. IBM’s Cost of a Data Breach Report 2024 finds phishing and other email-driven vectors among the most costly initial entry points, with average breach costs rising year over year.
In Outlook, the risk is twofold. Users can forward intentionally or create rules that send email outside the tenant. Blocking auto-forwarding to external domains should be the default, supported by education and DLP controls that keep communications secure and internal.
Internal communications often carry more than everyday messages. They frequently include confidential HR records, financial results, or strategic plans not approved for public release. If this kind of content is forwarded externally (intentionally or erroneously) organizations risk exposing sensitive data that could harm their reputation, weaken competitive advantage, and/or violate stakeholder trust.
Moreover, even “innocent” accidental forwarding can trigger serious legal or regulatory consequences. When an employee forwards internal emails containing personal employee data or client information, this may violate data privacy laws or confidentiality agreements embedded in contracts or HR policy. Standards frameworks emphasize this risk. For example, the National Institute of Standards and Technology (NIST) SP 1800-28B speaks explicitly of “problematic data actions (PDA)” including accidental email forwarding and the resulting unauthorized disclosure of sensitive data.
Then there’s the threat of automated forwarding rules. Mailbox rules or connection setups that silently send copies of messages to external accounts are sometimes set up by well-intentioned employees, but may be created by threat actors who’ve gained access. The result is data exfiltration without obvious signs until it’s too late.
The cyber-security research firm, Red Canary, has documented how adversaries routinely create forwarding rules in compromised accounts to collect sensitive information and bypass typical defences. Likewise, as the Canadian Centre for Cyber Security emphasizes, any unauthorized transfer of data from a network, system, or device needs to be treated as a breach, even when it started with a seemingly simple forwarding rule.
Critically, protecting internal communications is not solely the domain of IT or security teams. While those teams enable technical controls, communications teams must steer how and where information is distributed, shape policies around forwarding, and support secure sharing. Internal comms professionals can work closely with IT. By doing so, they help safeguard content before it reaches an external inbox.
Outlook offers two main ways to forward messages — manual forwarding and automatic forwarding — each of which can expose the organization to risk if not properly controlled.
Both forms of forwarding create vulnerabilities when not restricted by IT or security teams. As mentioned above, Microsoft recommends administrators review and, when necessary, disable automatic external forwarding in Exchange Online to prevent unintended data exposure. Strong policy controls, user awareness training, and regular audits are essential to ensuring that internal information stays protected.
Unlock the full potential of your internal communication efforts with our free Internal Comms Metric Guide.
Preventing external forwarding in Outlook requires both administrative and behavioral controls. Microsoft 365 offers several ways to block automatic or manual forwarding at different levels. These range from global tenant (or organizational-wide) settings to individual mailboxes. Combining technical restrictions with clear employee education ensures that internal messages stay internal.
Administrators can disable auto-forwarding across the entire organization. In the Exchange Admin Center, navigate to Mail Flow → Remote Domains, choose the domain, and under Auto-Forwarding, select Off.
This setting blocks all automatic external forwarding at the company tenant level and is the most comprehensive safeguard against accidental data exfiltration.
For greater flexibility, admins can create specific mail flow rules.
To do this, go to Mail Flow → Rules → Create New Rule, then set the condition “If the recipient is outside the organization.”
If you need to, under Action, select “Reject the message” or “Block with explanation.” This allows you to apply targeted restrictions for particular departments or user groups without disabling forwarding globally.
Administrators seeking precise configuration can use PowerShell commands within Microsoft 365 to disable or restrict external forwarding.
This command disables external forwarding by default but can be adjusted to apply to specific domains, users, or distribution groups. PowerShell provides the highest degree of control for hybrid or complex environments.
At the user level, forwarding can be stopped directly in Outlook Settings → Rules → Manage Rules.
Encourage employees to review and remove any existing auto-forwarding rules that direct messages to personal or third-party accounts. Pair this with awareness training and automated monitoring to reinforce secure sharing habits.
Ultimately, it’s essential to educate employees about security risks and set up automatic monitoring. It’s that simple.
While Outlook remains one of the most trusted business email platforms, it was never designed as a full-scale internal communications security tool. Importantly, several structural gaps limit how well it protects sensitive content once it’s sent.
Be aware of these factors:
Together, these limitations highlight why organizations must complement Outlook’s basic controls with centralized governance, data-loss prevention policies, and ongoing employee education to maintain message confidentiality and compliance integrity.
Unlock the full potential of your internal communication efforts with our free Internal Comms Metric Guide.
Cerkl Broadcast has been designed to eliminate the risk of external forwarding. Every message stays within authorized employee audiences, never leaving your organization’s secure ecosystem. By design, Broadcast replaces the open-ended nature of Outlook with role-based access, centralized control, and complete visibility across all communication channels.
Here’s more about what the platform offers:
Broadcast prevents external sharing altogether. Importantly, messages cannot be forwarded, copied, or shared outside approved audiences. Controlled internal-only delivery ensures that confidential HR, compliance, leadership updates, and all other critically important information remain protected within the organization.
Broadcast integrates seamlessly with Human Resources Information Systems (HRIS), Microsoft’s Active Directory (AD), or Single Sign-On (SSO) systems to dynamically manage who receives what. Audience access automatically updates as employees change departments or leave, reducing manual maintenance and eliminating outdated distribution lists.
Messages are delivered only through authenticated, secure channels, like email, mobile apps, Teams, or an intranet — never through external mail servers. This channel-specific control ensures sensitive updates never traverse unapproved systems.
Broadcast provides full visibility into engagement and compliance. You can track who opened, clicked, or acknowledged policy and HR updates, and easily produce audit-ready reports that prove compliance for regulators or internal reviews.
Every message remains internal-only. It cannot be forwarded externally, shared via link, or copied outside Broadcast. This guarantees that HR, compliance, and leadership communications stay secure, confidential, and fully traceable from send to acknowledgment.
The table below contrasts how Outlook and Cerkl Broadcast handle forwarding, visibility, compliance, and audience control. While Outlook depends on admin enforcement and user discipline, Broadcast enforces internal-only delivery by design, removing the forwarding risk altogether.
Once you recognize that securing internal communications is a priority, you need to go beyond Outlook’s built-in controls. Cerkl Broadcast gives you full visibility, compliance assurance, and complete protection from unauthorized forwarding. Perfect for growing organizations, you will get all of this within a centralized internal communications platform.
Not sure? No problem. We’ve introduced a new, basic-level subscription for people like you. Our Foundations subscription is designed to give you a chance to try out the platform free of charge. It includes everything you need to securely manage internal communications. You can include up to three team members, and send 5,000 free monthly emails. The option comes with built-in analytics, internal-only message delivery, and other free features.
Discover how to get started today. Sign up for the free Foundations Plan
Unlock the full potential of your internal communication efforts with our free Internal Comms Metric Guide.
Unlock the full potential of your internal communication efforts with our free Internal Comms Metric Guide.
.png)
