When Exchange Online Protection Blocks Email Senders

Exchange Online Isn’t for Bulk Email

Microsoft makes it quite clear that Exchange Online is not a platform for mass mailing. Limits exist to stop people who want to send bulk mail (spam) or whose mailboxes are taken over by malware. Essentially, even though Microsoft recently increased the maximum recipient limit for a message from 500 to 1,000, it doesn’t mean that you should switch mass mailings to Exchange Online from commercial mailing platforms like Mailchimp.

Most of the time, my mailbox never comes to the attention of Exchange Online Protection and the monitoring tools that look for evidence of misuse. I usually don’t send enough email to ever run into the limits. But occasionally, I need to send messages to reasonably large distribution lists (200 to 600 members). I was curious to discover at what point Exchange Online clamped down.

Sender Limits

The documented limit for accounts holding Office 365 E3 or E5 licenses is 10,000 recipients per day. A distribution list managed by the tenant (not a personal list) counts as a single recipient. Controlling mailboxes by measuring the number of messages they send is a crude control mechanism. Exchange Online Protection applies more intelligent algorithms to pick up unusual activity which might be a sign that something’s going on. The settings used by Microsoft to detect problematic senders are undocumented (as you’d expect), but you can force Exchange Online Protection to take an interest in your sending activity.

For instance, if someone who typically send 10-15 messages daily suddenly sends 200 messages over a short period or suddenly starts to send messages to large distribution lists, it might be that they’ve been told to get a message out about something like a new price list to customers. A one-off event isn’t enough to create suspicion, but other signs might exist to increase confidence that something’s wrong. An example is that because hyperlinks can lead the unwary into bad places, messages containing links are more suspect than those with plain text.

A single spike in traffic from a mailbox probably isn’t serious, but if the observed behavior of the mailbox over time deviates significantly from its expected norm, then the account might be compromised, and action is necessary. To ensure that a potentially-compromised account can’t be used to send spam or malware, Exchange Online Protection restricts (blocks) the mailbox. This means that the user is permitted to send messages to internal recipients but not to external recipients, including mail contacts and guest users registered in the tenant directory.

The Block Descends

I tested the theory by sending some messages containing hyperlinks to distribution lists over the course of a working day. Sure enough, after sending messages to circa 2,500 recipients spread across several distribution lists, Exchange Online Protection decided enough was enough and blocked my mailbox. When it imposes a block, Exchange Online generates NDRs (Figure 1) for every external message the user tries to send. The text of the message is:

“Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance. Remote Server returned ‘550 5.1.8 Access denied, bad outbound sender.”

The NDR received by a mailbox blocked by Exchange Online Protection
Figure 1: The NDR received by a mailbox blocked by Exchange Online Protection

In addition, tenant administrators receive a notification about the blocked user. A HygieneEvent Office 365 audit event is logged to record the blocking and an AlertEntityGenerated event logged for the alert which generates the notification to administrators. “User restricted from sending email” is one of the standard alert policies created by Office 365 to alert administrators about problems in the tenant.

Unblocking Accounts

To investigate and unblock restricted accounts, an administrator goes to the Restricted Users section of the Security and Compliance Center to check the current list of blocked users (Figure 2). In this case, an account (mine) is restricted because Exchange Online Protection observed a high percentage (20.75%) of suspicious messages over the last 24 hours.

Viewing restricted accounts in the Office 365 Security and Compliance Center
Figure 2: Viewing restricted accounts in the Office 365 Security and Compliance Center

total for outbound messages is noted as 36. The two figures don’t quite make sense; 747 divided by 36 is 20.75, which is the percentage of spam reported. Microsoft needs to do some work to clarify the reported data and make it more precise.

Unblocking in PowerShell

As expected, the underlying Get-BlockedSenderAddress cmdlet doesn’t help much either. The message trace identifier reported here doesn’t work with the Get-MessageTrace cmdlet.

Get-BlockedSenderAddress | Format-List SenderAddress, Reason

Reason: OutboundSpamLast24Hours=747;OutboundMailLast24Hours=36;OutboundSpamPercent=2075;Last Spam Message MessagetraceId:b2223b2d-469d-440c-b409-08d82a588f0e;AS:1135

If you recognize a blocked account and know that it shouldn’t be blocked, you can release the account using the Microsoft Purview Compliance portal or with PowerShell. Here’s how to do it with the Remove-BlockedSenderAddress cmdlet:

Remove-BlockedSenderAddress -SenderAddress Tony.Redmond@Office365itpros.com -Reason "No problem with this account"

I can’t find an audit event logged when an account is unblocked. An unblocked account can’t send messages immediately as mail servers which handle outbound messages must be updated about the block being released. Updating all servers can take up to an hour.

Blocking is Unusual

Dealing with blocked accounts should be an unusual incident. Mailboxes must exhibit some out-of-course behavior before Exchange Online Protection regards them as potentially compromised or a source of spam. And if a block descends, the question is if the account is compromised or it’s because of some unusual email activity on the part of its owner. And that’s where the administrator earns their pay keeping their tenant safe.

We try to discover where limits are in Office 365 and how the limits are implemented so that you don’t find the limits in production. Or at least, if you do, you know what to do next. All documented in the Office 365 for IT Pros eBook.

7 Replies to “When Exchange Online Protection Blocks Email Senders”

  1. Hi Tony, is there a log (audit) to check who removed the user from restricted users in defender restricted space?

    1. I haven’t looked and don’t have anyone in that category right now. You could check the next time it happens by:

      Waiting 30 minutes to be sure that all audit events are logged.
      Running Search-UnifiedAuditLog to see what ‘new” events are in the log.

      1. Thanks for your reply. Nothing in the unified log. I’ve opened MS support ticket. I hope they will provide anything.

    1. You can’t stop a sender being blocked if they send a volume of messages that Exchange Online Protection deems to be excessive. Don’t use Exchange Online for commercial email like newsletters, etc.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.