In a previous post, I wrote about how Exchange Online Protection monitors the email traffic sent from mailboxes to detect potential problems like compromised accounts or bulk mailings. These mailboxes are blocked (restricted) to stop outbound messages. Administrators can lift the restrictions on the mailboxes to resume normal service, hopefully after discovering a root cause.
After blocking individual mailboxes, the next escalation occurs when Exchange Online Protection considers that a component of the tenant might be compromised, and a wider restriction is necessary. At this point, the “tenant restricted from sending unprovisioned email” alert fires. This is one of the standard alert policies installed in Office 365 tenants, defined as happening when “when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.” Figure 1 shows the settings of the alert policy as viewed through the Security and Compliance Center.
Figure 1: The Office 365 Alert Policy that restricts tenants from sending email
Alert Notification
When the alert fires – and every hour or so thereafter until the alert is cleared – Exchange emails the tenant administrators a notification (email is OK because it’s an internal message) to inform them about the restriction (Figure 2).
Figure 2: Notification sent to administrators when a tenant is restricted
Lack of Clarity and Precision in Notification
It’s important that notifications to tenant administrators are concise and clear. When I received this notification, I was confused about its meaning. The biggest issues are:
“Unprovisioned” and “unregistered” domains are both mentioned. Microsoft’s online documentation doesn’t define what these domains are. As it turns out, both refer to domains that are not registered as accepted domains for the tenant.
The first line of the notification therefore means that Exchange Online Protection has detected that most of the traffic from the tenant is related to unaccepted domains. This could be perfectly normal, especially for tenants with a small number of users where most of their communication might be with external correspondents.
The second line says that the suspicious traffic is usually related to a compromised connector. However, my tenant doesn’t have any connectors (apart from those created by Exchange Online). It’s easy to check the messaging configuration of a tenant and highlight areas to check in email, a step that would have made the notification more valuable.
The third line says that the tenant has been restricted from sending email with unregistered domains. Going back to the point about accepted domains, surely this means that no email can be sent to any external domain. But that’s not what happened because I was able to send and receive email with domains such as Microsoft.com while the restriction was in force.
The last line advises the administrators to check for compromised user accounts, new connectors, or open relays. It would be nice if Microsoft included a link to a checklist for administrators to consult, and even better if Microsoft tailored the checklist to take account of the tenant configuration.
The net outcome is that I knew that Exchange Online Protection was worried about some traffic from the tenant and had done something to restrict some functionality. However, the lack of clarity and precision in the text meant that I was unsure of what caused the problem and how it should be resolved.
Resolving the Block
The first step in resolving any problem with email restriction is to make sure that there’s no obvious sign of problems with accounts or connectors. Are any accounts generating more email traffic than normal and if so, why? Is the traffic external or internal? Do the account owners know about the traffic? Have any new connectors been created, and so on.
If modern authentication with MFA is used for all accounts, it’s much less likely that accounts will be compromised (this is why Microsoft is removing basic authentication for several Exchange connection protocols). If this is the case, you should use message traces to check who is generating email traffic and try to understand if a spike in traffic is causing problems. For my tenant, the problem seemed to be caused by sending email to some large distribution lists where most of the members are external mail contacts. Microsoft’s monitoring picked up the traffic as a possible indication of spam (even though the messages were perfectly valid) and imposed the block.
Tenant administrators can’t lift the block. You must contact Microsoft Support and ask them to remove the block. Before you do this, gather evidence to prove that you’ve done the due diligence to check the tenant for problems like open relays, compromised accounts, new connectors, and so on. Doing this will avoid the need for wasted time as the support professional tries to understand the full scope of the problem. I’ve criticized Microsoft Support in the past, but when contacted them about this issue, the problem was resolved quickly and without fuss.
Improving Through Experience
Blocks and restrictions are needed to ensure that no tenant can soak resources in a multi-tenant environment like Office 365. Exchange Online Protection usually does a good job of protecting Exchange mailboxes from spam and malware. Microsoft has deployed a lot of machine learning and artificial intelligence to pick up problems as they emerge. In this instance, the algorithms were a little too sensitive and the notification wasn’t nearly precise enough. Feedback has been given to Microsoft to allow them to tweak things as needed. Here’s hoping this happens soon!
Sorting out why things happen inside Office 365 tenants is our passion. Learn more by subscribing to the Office 365 for IT Pros eBook and get monthly updates about everything important that happens inside Office 365.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}