Potentially compromised user account - Spam Filtering?

Kurstie Lenear 1 Reputation point

Recently one of our organizations Office 365 accounts has been getting triggered with a high-severity alert. The User is then restricted from sending emails outside of the organization. The user "has been restricted from sending messages outside the organization due to potential compromised activity. "

I have looked at various Microsoft Learn, including "Responding to a Compromised Email Account", "Remove blocked users from the Restricted users portal in Microsoft 365", "Exchange Online limits", and "Configure outbound spam filtering in EOP".

This account is used to send automated emails, not necessarily "bulk" emails since each one's contents are created per some business logic. We have a proprietary app sending these emails using SMTP basic auth. This functionality has been in place since 2017 but recently started to trigger alerts and lock the account. We are no where near the sending limits defined by Microsoft.

I am wondering if this is something we can resolve by configuring the outbound spam filtering in EOP?

This is a bit outside of my wheelhouse and I want to make sure we are not opening ourselves up for security vulnerabilities. Is there a way to request Microsoft support via the Office 365 Defender portal or would I need to contact a consultant for more specifics?

Any advice is appreciated, thanks!

Windows 365 Enterprise
Windows 365 Business
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,832 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 130.5K Reputation points MVP

    You could open a ticket with 365 support and ask for some guidance. That's what I would do.
    Note that "bulk" mail sending is not technically supported, so even though you may not be hitting established limits, the service is probably detecting the type or email and how its being sent as "Spammy" or potentially compromised.
    That said, I have seen this many times and the choice is to either live with it, use a 3rd party solution ( recommended) or... open a ticket with 365 and let them know what you are seeing and how these messages are being sent, they may be able to assist. This happens to a lot of orgs and is not uncommon, nor is the request of many to somehow allow these type of mailings.



    2 people found this answer helpful.
    0 comments No comments