Microsoft recently made changes to streamline 365 security: https://www.microsoft.com/security/blog/?p=91813

There were changes made to the backend of the Outbound Spam Filter Policy Automatic Forwarding settings.

Previously, when Forwarding was enabled, Exchange Admins could restrict access using Mail Transport rules or Remote Domains. The Secure Score of Exchange even included a template policy for rejecting messages from inside the organization sent to outside the organization with an auto-forward message type.

This Transport Rule allowed for a granular exceptions list with Recipient Addresses and Recipient Domains being easy to configure.

The recent change now overrides both Transport Rules and Remote Domains settings.

There is a configurable exceptions (applied to) list within the Outbound Spam Filter Policies Automatic Forwarding settings, but it only allows for Senders, Sender Domains, or Sender Groups.

This is far more unsafe than a traditional recipient whitelist. If a whitelisted sender account is compromised, this leaves a commonly exploited attack vector for emailing out the entire accounts email history.

Please Microsoft, can you fix the interaction between Mail Transport Rules and Remote Domains with the Outbound Spam Filter Policy changes?