Stop Employees from Forwarding Emails in Outlook Externally

Forwarding an email feels harmless — until it isn’t. The fact is, when internal messages are pushed outside the organization (manually or via auto-forwarding rules), they can expose sensitive plans, employee data, or regulated information and create a paper trail you don’t control. Industry evidence shows why this matters. 

Verizon’s 2024 Data Breach Investigations Report ranks “misdelivery” (sending email to the wrong recipient) among the top human error varieties in breaches, underscoring how quickly ordinary email handling can become a data-loss event. The report reveals that in the past couple of years, more than half of all errors were due to misdelivery. Furthermore, they have found 87% of errors can be traced to end-users. 

“We can always count on people making mistakes. The categories of mistakes they make are consistent year over year, and while some Error varieties have been decreasing, the ranking of frequency remains the same.” Verizon 

Microsoft explicitly advises admins to control or block automatic external forwarding in Exchange Online because attackers commonly abuse forwarding rules for silent exfiltration. 

“Email forwarding can be useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners.” Microsoft

Regulators echo the risk. The UK Information Commissioner’s Office (ICO.) tracks misdirected email as a persistent cause of reported incidents across sectors. Beyond compliance optics, the financial impact is real. IBM’s Cost of a Data Breach Report 2024 finds phishing and other email-driven vectors among the most costly initial entry points, with average breach costs rising year over year.

In Outlook, the risk is twofold. Users can forward intentionally or create rules that send email outside the tenant. Blocking auto-forwarding to external domains should be the default, supported by education and DLP controls that keep communications secure and internal.

Why Should You Prevent External Email Forwarding?

Internal communications often carry more than everyday messages. They frequently include confidential HR records, financial results, or strategic plans not approved for public release. If this kind of content is forwarded externally (intentionally or erroneously) organizations risk exposing sensitive data that could harm their reputation, weaken competitive advantage, and/or violate stakeholder trust.

Moreover, even “innocent” accidental forwarding can trigger serious legal or regulatory consequences. When an employee forwards internal emails containing personal employee data or client information, this may violate data privacy laws or confidentiality agreements embedded in contracts or HR policy. Standards frameworks emphasize this risk. For example, the National Institute of Standards and Technology (NIST) SP 1800-28B speaks explicitly of “problematic data actions (PDA)” including accidental email forwarding and the resulting unauthorized disclosure of sensitive data.

Then there’s the threat of automated forwarding rules. Mailbox rules or connection setups that silently send copies of messages to external accounts are sometimes set up by well-intentioned employees, but may be created by threat actors who’ve gained access. The result is data exfiltration without obvious signs until it’s too late. 

The cyber-security research firm, Red Canary, has documented how adversaries routinely create forwarding rules in compromised accounts to collect sensitive information and bypass typical defences. Likewise, as the Canadian Centre for Cyber Security emphasizes, any unauthorized transfer of data from a network, system, or device needs to be treated as a breach, even when it started with a seemingly simple forwarding rule. 

Critically, protecting internal communications is not solely the domain of IT or security teams. While those teams enable technical controls, communications teams must steer how and where information is distributed, shape policies around forwarding, and support secure sharing. Internal comms professionals can work closely with IT. By doing so, they help safeguard content before it reaches an external inbox.

How Outlook Email Forwarding Works

Outlook offers two main ways to forward messages — manual forwarding and automatic forwarding — each of which can expose the organization to risk if not properly controlled.

1. Manual forwarding happens when an employee deliberately clicks Forward and sends a message outside the company. It’s a quick, everyday action that might seem harmless, but once an internal email is sent to an external recipient, control over that information is lost. Sensitive attachments, internal discussions, or confidential HR or financial data can easily be shared beyond intended boundaries, often without malicious intent.
2. Automatic forwarding occurs when users or departments create mailbox rules that forward all incoming mail to another account — frequently personal Gmail, Yahoo, or other external addresses. While sometimes done for convenience or remote access, these rules can bypass data-loss prevention (DLP) controls and expose entire mail streams to unauthorized networks. In compromised accounts, attackers also use this feature to silently exfiltrate data or monitor internal communications.

Both forms of forwarding create vulnerabilities when not restricted by IT or security teams. As mentioned above, Microsoft recommends administrators review and, when necessary, disable automatic external forwarding in Exchange Online to prevent unintended data exposure. Strong policy controls, user awareness training, and regular audits are essential to ensuring that internal information stays protected.

How to Stop External Email Forwarding in Outlook

Preventing external forwarding in Outlook requires both administrative and behavioral controls. Microsoft 365 offers several ways to block automatic or manual forwarding at different levels. These range from global tenant (or organizational-wide) settings to individual mailboxes. Combining technical restrictions with clear employee education ensures that internal messages stay internal.

Option 1: Disable Auto-Forwarding via Microsoft 365 Admin Center

Administrators can disable auto-forwarding across the entire organization. In the Exchange Admin Center, navigate to Mail Flow → Remote Domains, choose the domain, and under Auto-Forwarding, select Off.

This setting blocks all automatic external forwarding at the company tenant level and is the most comprehensive safeguard against accidental data exfiltration.

Option 2: Block External Forwarding with Mail Flow Rules

For greater flexibility, admins can create specific mail flow rules. 

To do this, go to Mail Flow → Rules → Create New Rule, then set the condition “If the recipient is outside the organization.”

If you need to, under Action, select “Reject the message” or “Block with explanation.” This allows you to apply targeted restrictions for particular departments or user groups without disabling forwarding globally.

Option 3 – Use PowerShell for Granular Control

Administrators seeking precise configuration can use PowerShell commands within Microsoft 365 to disable or restrict external forwarding. 

This command disables external forwarding by default but can be adjusted to apply to specific domains, users, or distribution groups. PowerShell provides the highest degree of control for hybrid or complex environments.

Option 4 – Disable Forwarding from Individual Mailboxes

At the user level, forwarding can be stopped directly in Outlook Settings → Rules → Manage Rules. 

Encourage employees to review and remove any existing auto-forwarding rules that direct messages to personal or third-party accounts. Pair this with awareness training and automated monitoring to reinforce secure sharing habits. 

Ultimately, it’s essential to educate employees about security risks and set up automatic monitoring. It’s that simple. 

Outlook’s Limitations for Internal Comms Security

While Outlook remains one of the most trusted business email platforms, it was never designed as a full-scale internal communications security tool. Importantly, several structural gaps limit how well it protects sensitive content once it’s sent. 

Be aware of these factors:

• No governance after send: Once an email leaves the outbox, there’s no control over how it’s shared. Recipients can freely forward, copy, or download attachments. You don’t want to allow this. 
• No audit visibility: Outlook provides no insight into who forwarded a message, to whom, or whether it was opened externally. This leaves compliance teams without a traceable audit trail, which is a critical factor. 
• Limited audience control: Distribution lists and manual recipient management increase the risk of sending internal information to unintended contacts, particularly in large organizations. This is not a risk worth taking. 
• Inconsistent enforcement: Forwarding settings can reset after migrations, mailbox restorations, or policy updates, allowing previously blocked behavior to re-emerge unnoticed. It is vital to avoid this risk.
  
  

Together, these limitations highlight why organizations must complement Outlook’s basic controls with centralized governance, data-loss prevention policies, and ongoing employee education to maintain message confidentiality and compliance integrity.

The Cerkl Broadcast Solution to Company-Wide Email Forwarding 

Cerkl Broadcast has been designed to eliminate the risk of external forwarding. Every message stays within authorized employee audiences, never leaving your organization’s secure ecosystem. By design, Broadcast replaces the open-ended nature of Outlook with role-based access, centralized control, and complete visibility across all communication channels.

Here’s more about what the platform offers:

Restricted Sharing of Sensitive Content

Broadcast prevents external sharing altogether. Importantly, messages cannot be forwarded, copied, or shared outside approved audiences. Controlled internal-only delivery ensures that confidential HR, compliance, leadership updates, and all other critically important information remain protected within the organization.

Audience Management and Access Control

Broadcast integrates seamlessly with Human Resources Information Systems (HRIS), Microsoft’s Active Directory (AD), or Single Sign-On (SSO) systems to dynamically manage who receives what. Audience access automatically updates as employees change departments or leave, reducing manual maintenance and eliminating outdated distribution lists.

Channel-Level Security

Messages are delivered only through authenticated, secure channels, like email, mobile apps,  Teams, or an intranet — never through external mail servers. This channel-specific control ensures sensitive updates never traverse unapproved systems.

Read Receipts, Acknowledgements, and Analytics

Broadcast provides full visibility into engagement and compliance. You can track who opened, clicked, or acknowledged policy and HR updates, and easily produce audit-ready reports that prove compliance for regulators or internal reviews.

Internal-Only Visibility

Every message remains internal-only. It cannot be forwarded externally, shared via link, or copied outside Broadcast. This guarantees that HR, compliance, and leadership communications stay secure, confidential, and fully traceable from send to acknowledgment.

Outlook vs. Cerkl Broadcast for Restricting Email Forwarding Externally

The table below contrasts how Outlook and Cerkl Broadcast handle forwarding, visibility, compliance, and audience control. While Outlook depends on admin enforcement and user discipline, Broadcast enforces internal-only delivery by design, removing the forwarding risk altogether. 

What’s Next

Once you recognize that securing internal communications is a priority, you need to go beyond Outlook’s built-in controls. Cerkl Broadcast gives you full visibility, compliance assurance, and complete protection from unauthorized forwarding. Perfect for growing organizations, you will get all of this within a centralized internal communications platform. 

Not sure? No problem. We’ve introduced a new, basic-level subscription for people like you. Our Foundations subscription is designed to give you a chance to try out the platform free of charge. It includes everything you need to securely manage internal communications. You can include up to three team members, and send 5,000 free monthly emails. The option comes with built-in analytics, internal-only message delivery, and other free features. 

Discover how to get started today. Sign up for the free Foundations Plan