Share via

Suspicious email sending patterns detected

Jorge Fernandez 0 Reputation points
2026-05-14T15:12:31.1133333+00:00

Hello Team, I am having problems with the company emails.

A medium-severity alert has been triggered

⚠ Suspicious email sending patterns detected

Severity: ● Medium

Time: 5/14/2026

Activity: Suspicious outbound email activity

Microsoft Security | Microsoft Defender | Microsoft Defender for Office 365
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jorge Fernandez 0 Reputation points
    2026-05-14T15:15:27.2333333+00:00

    The issue is that they have sent emails as if they were the user.

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-05-14T15:12:44.3066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The alert “Suspicious email sending patterns detected” means Microsoft Defender has seen outbound email behavior from one or more user accounts that looks like spam or a compromised account, but not yet severe enough to automatically block sending.

    To handle this:

    1. Identify which account is involved
      • In the Microsoft Defender portal, open the alert details for Suspicious email sending patterns detected.
      • Note the affected user account, time, and any listed recipients or subject lines.
    2. Check if the account is compromised
      • Look for common compromise indicators on the mailbox:
        • Unexpected or missing/deleted email.
        • Unknown inbox rules (especially ones that forward mail or move it to Junk, Notes, or RSS Subscriptions).
        • External forwarding suddenly enabled.
        • Suspicious items in Sent Items or Deleted Items.
        • Unusual signature changes.
      • These symptoms are described in Respond to a compromised cloud email account.
    3. Secure the user account immediately if compromise is suspected Typical remediation steps include:
      • Reset the user’s password.
      • Ensure multi-factor authentication (MFA) is enabled.
      • Sign out active sessions and revoke any suspicious app permissions.
      • Remove any malicious inbox rules and disable any unexpected external forwarding.
    4. Use Defender reports to see if this is an isolated or broader issue
      • In the Microsoft Defender portal, open the Compromised users report (Email & collaboration reports → Compromised users).
      • Check if the user is marked Suspicious or Restricted, and whether there are spikes in other accounts. This helps determine if there is a wider compromise.
    5. Monitor and tune alerting
      • The Suspicious email sending patterns detected alert is a default alert policy and is designed as an early warning. Continue to monitor this user and others for additional alerts.
      • If users are later restricted from sending, use the related guidance under outbound spam and restricted users to restore them only after confirming they are clean.

    If, after review, the activity is legitimate (for example, a one-time bulk mailing), document the business reason and continue to monitor, but do not disable the alert policy, as it is a key control for detecting compromised accounts.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.