Unauthorized IPs on forwards after implementing O365 lock down rule

Created by Yves Lacombe, Modified on Thu, 28 Oct 2021 at 12:24 PM by Yves Lacombe

Problem:  You implemented our Office365 lockdown rule and even with the recommended exceptions, some internally forwarded emails still get blocked by the rule.

Reason:  When UserA@yourdomain.com forwards an email to UserB@yourdomain.com in office365, for some reason Office365 sees those Emails as External instead of Internal.  If you look carefully at the header of the reject notification, you'll see a line like this:

x-ms-exchange-crosstenant-authas: Anonymous 

This entry can have two values:  Anonymous (external email) or Internal (it's an internal Email sent from one user to another in the same tenant).

For some unknown reason, office365 decides that a forwarded Email from an internal user to another internal user is still regarded as external.


Usually these forwarded emails have a resent-from line with UserA@yourdomain.com as the resent from value.  So the trick is to add another exception to the hardening rule to look for resent-from as the header element, with yourdomain.com as the value.


This workaround should apply to any internal forwarding except for calendar invite forwards, the other exception we already recommend covers that one.