Respond to a compromised connector
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Applies to
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Connectors are used for enabling mail flow between Microsoft 365 or Office 365 and email servers that you have in your on-premises environment. For more information, see Configure mail flow using connectors in Exchange Online.
A compromised inbound connector is defined as when an unauthorized individual either applies change(s) to an existing inbound connector or creates a new inbound connector in a Microsoft 365 tenant, with the intention of sending spam or phish emails. Note that this is applicable only to inbound connectors of type OnPremises.
Detect a compromised connector
Here are some of the characteristics of a compromised connector:
Sudden spike in outbound mail volume.
Mismatch between P1 and P2 senders in outbound mails. For more information on P1 and P2 senders, see How EOP validates the From address to prevent phishing.
Outbound mails sent from a domain that is not provisioned or registered.
The connector is blocked from sending relaying mail.
The presence of an inbound connector wasn't created by the intended user or the administrator.
Unauthorized change(s) in existing connector configuration, such as name, domain name, and IP address.
A recently compromised administrator account. Note that you can edit connector configuration only if you have administrative access.
Secure and restore email function to a suspected compromised connector
You must complete all the following steps to regain access to your connector. These steps help you remove any back-door entries that may have been added to your connector.
Step 1: Identify if an inbound connector has been compromised
Review recent suspicious connector traffic or related messages
If you have Microsoft Defender for Office 365 plan 2, go directly to https://security.microsoft.com/threatexplorer.
Select Connector, insert Connector Name, select date range, and then click Refresh.
Identify if there's any abnormal spike or dip in email traffic.
Identify:
If Sender IP matches with your organization's on-prem IP address.
If a significant number of emails were recently sent to the Junk folder. This is a good indicator of a compromised connector being used to send spam.
If the recipients are the ones that your organization usually stays in contact with.
If you have Microsoft Defender for Office 365 Plan 1 or Exchange Online Protection, go to https://admin.exchange.microsoft.com/#/messagetrace.
Open Suspicious connector activity alert in https://security.microsoft.com/alerts.
Select an activity under Activity list, and copy suspicious connector domain and IP address detected in the alert.
Search by using connector domain and IP address in Message trace.
In the Message trace search results, identify:
If a significant number of emails were recently marked as FilteredAsSpam. This is a good indicator of a compromised connector being used to send spam.
If the recipients are the ones that your organization usually stays in contact with.
Investigate and validate connector-related activity
Use the following command line in PowerShell to investigate and validate connector-related activity by a user in the audit log. For more information, see Use a PowerShell script to search the audit log.
Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector", "Set-InboundConnector", "Remove-InboundConnector
Step 2: Review and revert unauthorized change(s) in a connector
Sign into https://admin.exchange.microsoft.com/.
Review and revert unauthorized connector change(s).
Step 3: Unblock the connector to re-enable mail flow
Sign into https://security.microsoft.com/restrictedentities.
Select the restricted connector to unblock the connector.
Step 4: Investigate and remediate potentially compromised administrative user account
If a user with an unauthorized connector activity is identified, you can investigate this user for potential compromise. For more information, see Responding to a Compromised Email Account.
More information
Feedback
Submit and view feedback for