Turning off email auto forwarding feature from 1st May 2019
10:24AM, 18 March 2019
Over the last 12 months, the University has become aware of instances in which cyber attackers have exploited email auto forwarding functionality to compromise the security of personal and confidential University data.
This risk was reviewed by the University’s Information Governance Sub Committee [IGSC18-M4 Minute 18/35] and it was agreed that the following functions of the University’s email system will be turned off:
• Auto-forwarding of email using the SMTP Forwarding function
• Auto-forwarding of email using Inbox rules
It has become apparent that a significant number of staff and student user accounts have been successfully compromised (usually as a result of a ‘Phishing’ attack), after which, the attacker has then set the compromised account to automatically forward all email to an unknown third-party email address.
This silent forwarding, therefore presents a significant information security risk to both the University and individual users. Additionally, in some cases, University staff and students have used auto-forward functionality to divert email received by their University accounts to non-University accounts. As with the above, this presents a significant information security risk to the University as it allows for confidential data to be moved outside of the secure University network environment.
As with all information security breaches, instances of the above would be subject to further investigation by the Information Commissioner’s Office and could lead to the University being subject to significant fines under the Data Protection Act (2018).
Therefore it is intended that auto-forward functionality will be switched off from 1st May 2019.
If you believe you have a legitimate business case for the continued use of auto-forward functionality, please contact firstname.lastname@example.org before 8th April 2019 to discuss this requirement.