Policy for limiting external domains and allowing particular external receivers
Hi community, According to the guide https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-policies-external-email-forwarding i have created the following rule for our test domain: Rule description Apply this rule if 'X-MS-Exchange-Inbox-Rules-Loop' header matches the following patterns: '.' Do the following Set audit severity level to 'Medium' and reject the message and include the explanation 'Delivery not authorized, message refused' with the status code: '5.7.1' Except if recipients's address domain portion belongs to any of these domains: 'xyz.com' Rule Idea is to block all external mail forwardings except the ones directed to the domain xyz.com. ______________________________________________ Another rule testing i performed: Apply this rule if Is sent to 'Outside the organization' and sender's address domain portion belongs to any of these domains: 'localdomain.com' Do the following Set audit severity level to 'Medium' and reject the message and include the explanation 'external forwarding is not allowed' with the status code: '5.7.1' Except if recipients's address domain portion belongs to any of these domains: 'xyz.com'. Unfortunately this is not working and if i create mailbox-based rules that forward to mails lets say to gmail and to xyz.com both , the mails get dropped with explanation: Reason: [{LED=250 2.1.5 RESOLVER.MSGTYPE.AF; handled AutoForward addressed to external recipient};{MSG=};{FQDN=};{IP=};{LRT=}] For both cases i made sure the auto forwarding is enabled under "anti spam" rules in the security admin center. I receive in the mail flow logs messaged dropped for a mail located in xyz.com and in gmail.com. The forwarding configured in outlook on a mail from localdomain.com is intended to auto forward messages to a mail address in gmail.com and in xyz.com, where they mails should arrive. I am wondering what would be the correct policy in order to being able to except particular ext domain/ext mailbox. Another approach i found is to disable the auto fwd globally and to enable it for particular users only, but unfortunately can not be limited to whom the mailbox can forward and this is not useful solution for us. Regards SofiaEmails delayed or not received.
Hello Please i need your help on this issue. Emails delayed or not received. We have noticed that since last Friday (3rd Oct) emails sent to @livener.net addresses have been delayed or not received. This is using the Outlook app, Apple Mail App and Outlook Online.so I do not believe it is a client issue. In particular a mail from massenzana @runeXXXX to Tony @liveXXXXX and Bernie @liveXXXXX on Friday evening has not been received. It was received by other recipients. Test mails from Tony @gmailXXXX to Tony @liveXXXXX and bernie @liveXXXXX sent at approx 09:40 have not been received. A mail from Bernie @soundXXXX sent at 07:02 this morning arrived at Tony @liveXXXX at 09:49Why would a hacker/scammer put a domain INTO my exchange online admin?
OK so this is a weird one. I've been doing this a fairly long time but I'm not a full time exchange admin. I help my clients with exchange online often, but I'm a local IT pro, doing all sorts of screwdriver and software work, not just exchange. So maybe this isn't as bizarre as I think it is, but let's see. My client stopped receiving email 2 days ago. Alerted me to it yesterday. They don't know their password but no devices are asking for passwords, so I suspect it's not a password issue. I get logged into my admin and reset their password so we can get into their account. Suddenly they start getting asked for PW on phone and outlook, so we know that the password hadn't been changed prior. I get into account and see new rules sending all emails into archive and trash. So that explains that. So someone broke into the account with the correct password. Easily enough explained. Though weird that it would happen if the user didn't know their own password. So, one question is how did the scammer get into the account. I have looked at the login logs but I don't know what to sort/filter by to really find out anything helpful. Any ideas? So I got into the account and upon resetting his password he is forced to enable MFA. So that's done. I'm in the admin and what do I find? Two NEW domains in the settings. They are set up for exchange online. No users though. Not only that but I can't REMOVE the domains that aren't mine. I get this error when trying to remove it: "The domain coburnsfleetservices.com can't be removed at this time because it was purchased from Microsoft 365. It can only be used with your current Microsoft 365 account. You can remove it from the account once the subscription expires or is canceled." Also, in the emails missed in the past 48 hours we got one that said this: "A verified domain was added to your Avenue A Realty Advisors LLC account If this domain wasn't added by an admin in your organization, credentials might have been compromised and we suggest reviewing your password and multifactor authentication settings." I searched online and found contact info for one of the stolen/given domains. Called them and they said they had been hijacked 2 weeks ago, and their email used to send out payment requests to thousands of email addresses. Thought they had it solved a few days ago and it had been silent. Now this. So a second thing I'd like to find out is when exactly those domains were put into my exchange online account. Can I find that info from the logs? Additionally, WHY would someone move unrelated domains into my account? Maybe is the assumption that that happened before 2 weeks ago when that company's domain had been used to send out mass mail? Doesn't seem possible, because that company would have figured out that they no longer controlled their own domain and they couldn't have gotten control of the account again. Or...? I don't know. But while I've seen users tricked into giving out their passwords dozens of times, and their email used to try to solicit money from vendors, I've never seen another domain slipped in. Any ideas? And suggestions how to search the logs to get to the bottom of the missing puzzle pieces? Thanks for any leads!M365 Business Standard - Email Aliases not displaying how we would expect
New Microsoft 365 Business Standard and setup custom domain (example: testdomain . com) One User and test @ testdomain . com Setup one alias alias1 @ testdomain . com Per this link: https://learn.microsoft.com/en-us/microsoft-365/admin/email/add-another-email-alias-for-a-user?view=o365-worldwide I can add an alias the document claims the user can send out as the alias: Your users can now send from their aliases when using Outlook on the web. When the Set-OrganizationConfig -SendFromAliasEnabled $true cmdlet is set, users within the organization will get access to a list of checkboxes where each entry corresponds to an alias in their Outlook settings. Selecting an alias will make it appear in the From dropdown in the Compose form. I did this and confirmed it is enabled. I then went to Outlook web and did not see the aliases to pick from, but found I needed to go into Settings / Compose and Reply / Addresses to Send From I now see the from drop down: HOWEVER, the recipient (some of my gmail accounts or other test accounts) do NOT see it coming from the alias, but looks like it comes from my primary user @ mydomain . com vs the alias1 @ mydomain . com. If the recipient digs into the message header you cannot see it from the alias either. QUESTION 1 So WHAT needs to be done so when the recipient receives the email it looks like it came from the alias. QUESTION 2 A sender sends me an email to alias1 @ mydomain . com and it does arrive in Outlook Web, BUT it looks like it came to my primary test @ mydomain . com. IF I dig into the message header behind the scenes I do see it was sent to the alias. HOW can I have Outlook Web display that it was to the alias email and not the primary email? I probably could create rules to tag and or move to folders, but it would be nice to just easily tell in the client. Thanks in a advance! Greg