Investigating Email Impacts

This guide will provide users insight into the alerts that could be expected based on operational use of their inboxes within the Microsoft landscape.

Deliverability or User Experience Impacts

Activity

Impact

Sittadel’s Curated Next Steps

Email sending limit exceeded

An internal user has been detected of exceeding the Outbound Spam Threat Policy daily external sending limit. They will be prevented from sending any mail until they have been sanctioned as an allowed entity.

Immediately allow the user by removing their block using the Email Restricted Entity Management (sittadel.com) procedure.

Indefinitely allow this activity by using the Allowing High Volume Senders (sittadel.com) procedure.

Tenant restricted from sending email

Traffic from the tenant has been detected as suspicious for a prolonged period, and as a result the tenant will be banned from having sending functionality applied to any of their attached mailboxes.

Contacting Microsoft Support will need to be initiated to remove the sending ability ban that has been enforced on the tenant.

Tenant restricted from sending unprovisioned email

Traffic from the tenant has been sent from unprovisioned domains that are housed within it, and as a result the tenant will be banned from having sending functionality applied to any of their attached mailboxes regardless of the domain name specified.

Contacting Microsoft Support will need to be initiated to remove the sending ability ban that has been enforced on the tenant.

User restricted from sending email

If an internal user is detected of sending suspicious messages outside the organization and has maintained this suspicious activity for a period time, they will be restricted from sending messages externally until allowed by the administrator.

Immediately allow the user by removing their block using the Email Restricted Entity Management (sittadel.com) procedure.

Indefinitely allow this activity by using the Allowing High Volume Senders (sittadel.com) procedure.

Suspicious email sending patterns detected

If an internal user is detected of sending suspicious messages outside the organization they will be monitored, and if the activity is continued for a prolonged period, they will be prevented from sending mail until remediation can be conducted on the account.

Take a look at the traffic for the account using the Investigating External Traffic (sittadel.com) procedure.

Suspicious connector activity

If a connector that has been configured through the Exchange Admin Center has been identified as handling suspicious messages it will be restricted from sending any messages. The impact to mail flow will be dependent on the directionality specified in the connector creation.

Take a look at if any connectors have recently changed using the Investigating Connector Configuration (sittadel.com) procedure.

Messages have been delayed

If a connector is having trouble handling a message either internally or externally facing, it will be held within a delayed message queue, if the number of delayed messages exceeds the system threshold and they have been queued for an extended period a message will be delivered to notify you of the need to investigate potential impact.

Take a look at which emails are being held due to delays using the Investigating Mail Delivery (sittadel.com) procedure.

Reply-all storm detected

In the case of a user initiating a reply all message on a thread tied to a large distribution list, a notification will be delivered to notify you of the possible throttling that could take place on the tied email servers.

Take a look at the impact of the reply-all storm using the Investigating Reply-All Impact (sittadel.com) procedure.

Suspicious or Compromised User Behavior

Activity

Behavior Trigger

Sittadel’s Curated Next Steps

A user clicked through to a potentially malicious URL​ 

If a message that has been identified by the Safe Links Threat Policy has been detected to have an embedded malicious URL housed within it and despite the warning the recipient has still clicked through to view the URL, a notification will be delivered to notify you of a potential IOC that has been initiated.

Take a look at which URLs have been clicked by the affected user using the Investigating URL Clicks (sittadel.com) procedure.

Creation of forwarding/redirect rule

Notification that is received when a user configures any of the applicable mail flow rules that are geared towards forwarding or redirecting mail, these rules can be utilized in nefarious ways such as forwarding received mail to an external address or redirecting messages to a void address.

Take a look at any new forwarding rules using the Investigating Transport Rule Creation (sittadel.com) procedure.

Messages containing malicious entity not removed after delivery

If a message was detected by the Anti-Malware Threat Policy but was still delivered to a recipient's inbox instead of being processed to the Quarantine Queue, it is required that an administrator remove these messages manually from the affected user.

The designated Threat Detection policy has failed to capture the potentially malicious content. As a result, it will be necessary for an administrator to notify the user not to interact with the received mail and be prepared to remove the content manually from the inbox.

Elevation of Exchange admin privilege

Alert that notifies administrators when a user has received the Exchange Admin role, this can be a useful IOC for possible privilege escalation or can be leveraged to track possible configuration misconfiguration due to unsanctioned user activity.

Verification from the Roles section of the Azure Active Directory portal will need to be conducted. Checking if the Exchange Administrator role has the proper users assignment, and if not, additional checks will need to be conducted on who initiated this privilege escalation via the Role Audit Log.

Suspicious tenant sending patterns observed

Alert that points to suspicious mail flow being generated from end users within the tenant, if this pattern is maintained for a prolonged period this could lead to all mailboxes associated with the tenant being blocked from sending emails.

Take a look at mail for the organization as a whole using the Investigating Tenant Wide External Traffic (sittadel.com) procedure.

Suspicious Email Forwarding Activity

Alert that is generated when a suspicious email forward is detected, this can be a redirect that points to an external address that isn’t recognized within your tenant.

Take a look at any new forwarding rules using the Investigating Transport Rule Creation (sittadel.com) procedure.

Configuration Issue

Item

Missing Functionality

Sittadel’s Curated Next Steps

Phish not zapped because ZAP is disabled

For read or unread messages that are identified as phishing (not high confidence phishing) after delivery, ZAP quarantines the message that has been identified as Phishing.

Proper configuration of the Anti-Malware threat protection policy will need to be conducted.

Malware not zapped because ZAP is disabled

For read or unread messages that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment.

Proper configuration of the Anti-Malware threat protection policy will need to be conducted.