Respond to a compromised connector

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

Connectors are used for enabling mail flow between Microsoft 365 or Office 365 and email servers that you have in your on-premises environment. For more information, see Configure mail flow using connectors in Exchange Online.

A compromised inbound connector is defined as when an unauthorized individual either applies change(s) to an existing inbound connector or creates a new inbound connector in a Microsoft 365 tenant, with the intention of sending spam or phish emails. Note that this is applicable only to inbound connectors of type OnPremises.

Detect a compromised connector

Here are some of the characteristics of a compromised connector:

  • Sudden spike in outbound mail volume.

  • Mismatch between P1 and P2 senders in outbound mails. For more information on P1 and P2 senders, see How EOP validates the From address to prevent phishing.

  • Outbound mails sent from a domain that is not provisioned or registered.

  • The connector is blocked from sending relaying mail.

  • The presence of an inbound connector wasn't created by the intended user or the administrator.

  • Unauthorized change(s) in existing connector configuration, such as name, domain name, and IP address.

  • A recently compromised administrator account. Note that you can edit connector configuration only if you have administrative access.

Secure and restore email function to a suspected compromised connector

You must complete all the following steps to regain access to your connector. These steps help you remove any back-door entries that may have been added to your connector.

Step 1: Identify if an inbound connector has been compromised

If you have Microsoft Defender for Office 365 plan 2, go directly to https://security.microsoft.com/threatexplorer.

  1. Select Connector, insert Connector Name, select date range, and then click Refresh.

    Inbound connector explorer view

  2. Identify if there's any abnormal spike or dip in email traffic.

    Number of emails delivered to junk folder

  3. Identify:

    • If Sender IP matches with your organization's on-prem IP address.

    • If a significant number of emails were recently sent to the Junk folder. This is a good indicator of a compromised connector being used to send spam.

    • If the recipients are the ones that your organization usually stays in contact with.

    Sender IP and your organization's on-prem IP address

If you have Microsoft Defender for Office 365 Plan 1 or Exchange Online Protection, go to https://admin.exchange.microsoft.com/#/messagetrace.

  1. Open Suspicious connector activity alert in https://security.microsoft.com/alerts.

  2. Select an activity under Activity list, and copy suspicious connector domain and IP address detected in the alert.

    Connector compromise outbound email details

  3. Search by using connector domain and IP address in Message trace.

    New message trace flyout

  4. In the Message trace search results, identify:

    • If a significant number of emails were recently marked as FilteredAsSpam. This is a good indicator of a compromised connector being used to send spam.

    • If the recipients are the ones that your organization usually stays in contact with.

    New message trace search results

Use the following command line in PowerShell to investigate and validate connector-related activity by a user in the audit log. For more information, see Use a PowerShell script to search the audit log.

Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector", "Set-InboundConnector", "Remove-InboundConnector

Step 2: Review and revert unauthorized change(s) in a connector

  1. Sign into https://admin.exchange.microsoft.com/.

  2. Review and revert unauthorized connector change(s).

Step 3: Unblock the connector to re-enable mail flow

  1. Sign into https://security.microsoft.com/restrictedentities.

  2. Select the restricted connector to unblock the connector.

Step 4: Investigate and remediate potentially compromised administrative user account

If a user with an unauthorized connector activity is identified, you can investigate this user for potential compromise. For more information, see Responding to a Compromised Email Account.

More information