Share via

Compromised Unprovisioned Tenant Account

Steve Russell 6 Reputation points
2020-07-26T22:07:30.583+00:00

Hello All I have started receiving the following alerts since the weekend: A high-severity alert has been triggered ⚠ Tenant restricted from sending unprovisioned email Severity: ● High Time: 7/26/2020 9:33:00 PM (UTC) Activity: Potentially compromised tenant User: SecurityComplianceEvent Details: A majority of traffic related to unprovisioned domains from this tenant has been detected. This is considered suspicious and usually related to a compromised connector. As such, the tenant has been restricted from sending email with unregistered domains. Investigate any potentially compromised user/admins, new connectors, or open relays and contact support to unblock your tenant. Is anyone able to provide troubleshooting steps for this one? Perhaps I have an account that has been compromised - how would I find out what account would be causing this alert, and what actions do I need to take? Thanks

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,368 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Satyajit321 6 Reputation points
    2020-07-27T05:47:42.393+00:00

    Hi @Steve Russell ,

    • Start with a message trace or historical trace to check if there are emails originating (Outbound) from your tenant, which appears to be of a domain which you don't own or onboarded yet.
    • Setup a Transport rule to trigger reports for all emails except your own domains as senders for External emails
    • Once you identify those emails, you can do pin point investigation to identify the source of that email and remediate according to that
    • In addition as suggested by Kyle you might find more details on the alerts when viewed in the portal.

    Regards,

    Satyajit

    1 person found this answer helpful.
    0 comments
  2. KyleXu-MSFT 26,241 Reputation points
    2020-07-27T02:48:20.34+00:00

    Do you create any new receive connector on Exchange online? Or do you do you enable relay on your exiting receive connector? If so, this alert is caused by some tool relay too many email from your Exchange server.

    If the connector is crated by yourself to relay email, I think you could ignore this alert. If you don't configure any relay on your Exchange online, you can delete all exit connector on your Exchange online.

    You can get a more detailed information from the Office 365 Security & Compliance

    You can also create a service request from Office 365 admin center to Office 365 teams to let them help you check from the backend.

    0 comments
  3. Andy David - MVP 145K Reputation points MVP
    2020-07-27T12:16:51.33+00:00

    Message traces in Office 365 will probably not show anything here if the sending domain is not registered with your tenant. Do you have a hybrid environment and/or on-prem Exchange Servers or SMTP servers? They may be compromised internally or open to the internet and relaying mail through a connector through Office 365.
    Office 365 would not allow authenticated mail from an unregistered domain otherwise.

    P.S. Did that alert have an associated sending IP?

    0 comments