Unauthorized IPs on forwards after implementing O365 lock down rule

Created by Yves Lacombe, Modified on Thu, 28 Oct, 2021 at 12:24 PM by Yves Lacombe

Problem:  You implemented our Office365 lockdown rule and even with the recommended exceptions, some internally forwarded emails still get blocked by the rule.


Reason:  When UserA@yourdomain.com forwards an email to UserB@yourdomain.com in office365, for some reason Office365 sees those Emails as External instead of Internal.  If you look carefully at the header of the reject notification, you'll see a line like this:


x-ms-exchange-crosstenant-authas: Anonymous 


This entry can have two values:  Anonymous (external email) or Internal (it's an internal Email sent from one user to another in the same tenant).


For some unknown reason, office365 decides that a forwarded Email from an internal user to another internal user is still regarded as external.



Workaround:


Usually these forwarded emails have a resent-from line with UserA@yourdomain.com as the resent from value.  So the trick is to add another exception to the hardening rule to look for resent-from as the header element, with yourdomain.com as the value.


Example:




This workaround should apply to any internal forwarding except for calendar invite forwards, the other exception we already recommend covers that one.