| title | Respond to a compromised connector in Microsoft 365 | |||
|---|---|---|---|---|
| f1.keywords |
|
|||
| author | chrisda | |||
| ms.author | chrisda | |||
| manager | bagol | |||
| audience | ITPro | |||
| ms.topic | how-to | |||
| ms.localizationpriority | medium | |||
| ms.assetid | ||||
| ms.collection |
|
|||
| ms.custom | ||||
| description | Learn how to recognize and respond to a compromised connector in Microsoft 365. | |||
| ms.service | defender-office-365 | |||
| search.appverid | met150 | |||
| ms.date | 6/14/2023 | |||
| appliesto |
|
[!INCLUDE MDO Trial banner]
Connectors are used for enabling mail flow between Microsoft 365 and email servers that you have in your on-premises environment. For more information, see Configure mail flow using connectors in Exchange Online.
An inbound connector with the Type value OnPremises is considered compromised when an attacker creates a new connector or modifies and existing connector to send spam or phishing email.
This article explains the symptoms of a compromised connector and how to regain control of it.
A compromised connector exhibits one or more of the following characteristics:
- A sudden spike in outbound mail volume.
- A mismatch between the
5321.MailFromaddress (also known as the MAIL FROM address, P1 sender, or envelope sender) and the5322.Fromaddress (also known as the From address or P2 sender) in outbound email. For more information about these senders, see How Microsoft 365 validates the From address to prevent phishing. - Outbound mail sent from a domain that isn't provisioned or registered.
- The connector is blocked from sending or relaying mail.
- The presence of an inbound connector that wasn't created by an admin.
- Unauthorized changes in the configuration of an existing connector (for example, the name, domain name, and IP address).
- A recently compromised admin account. Creating or editing connectors requires admin access.
If you see these symptoms or other unusual symptoms, you should investigate.
Do all of the following steps to regain control of the connector. Go through the steps as soon as you suspect a problem and as quickly as possible to make sure that the attacker doesn't resume control of the connector. These steps also help you remove any back-door entries that the attacker might have added to the connector.
In Microsoft Defender for Office 365 Plan 2, open the Microsoft Defender portal at https://security.microsoft.com and go to Explorer. Or, to go directly to the Explorer page, use https://security.microsoft.com/threatexplorer.
-
On the Explorer page, verify that the All email tab is selected and then configure the following options:
- Select the date/time range.
- Select Connector.
- Enter the connector name in the :::image type="icon" source="media/m365-cc-sc-search-icon.png" border="false"::: Search box.
- Select Refresh.
:::image type="content" source="media/connector-compromise-explorer.png" alt-text="Inbound connector explorer view" lightbox="media/connector-compromise-explorer.png":::
-
Look for abnormal spikes or dips in email traffic.
:::image type="content" source="media/connector-compromise-abnormal-spike.png" alt-text="Number of emails delivered to junk folder" lightbox="media/connector-compromise-abnormal-spike.png":::
-
Answer the following questions:
- Does the Sender IP match your organization's on-premises IP address?
- Were a significant number of recent messages sent to the Junk Email folder? This result clearly indicates that a compromised connector was used to send spam.
- Is it reasonable for the message recipients to receive email from senders in your organization?
:::image type="content" source="media/connector-compromise-sender-ip.png" alt-text="Sender IP and your organization's on-prem IP address" lightbox="media/connector-compromise-sender-ip.png":::
In Microsoft Defender for Office 365 or the built-in security features for all cloud mailboxes, use Alerts and Message trace to look for the symptoms of connector compromise:
-
Open the Defender portal at https://security.microsoft.com and go to Incidents & alerts > Alerts. Or, to go directly to the Alerts page, useOpen Suspicious connector activity alert in https://security.microsoft.com/alerts.
-
On the Alerts page, use the :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: Filter > Policy > Suspicious connector activity to find any alerts related to suspicious connector activity.
-
Select a suspicious connector activity alert by clicking anywhere in the row other than the check box next to the name. On the details page that opens, select an activity under Activity list, and copy the Connector domain and IP address values from the alert.
:::image type="content" source="media/connector-compromise-outbound-email-details.png" alt-text="Connector compromise outbound email details" lightbox="media/connector-compromise-outbound-email-details.png":::
-
Open the Exchange admin center at https://admin.exchange.microsoft.com and go to Mail flow > Message trace. Or, to go directly to the Message trace page, use https://admin.exchange.microsoft.com/#/messagetrace.
On the Message trace page, select the Custom queries tab, select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: Start a trace, and use the Connector domain and IP address values from the previous step.
For more information about message trace, see Message trace in the modern Exchange admin center in Exchange Online.
:::image type="content" source="media/connector-compromise-new-message-trace.png" alt-text="New message trace flyout" lightbox="media/connector-compromise-new-message-trace.png":::
-
In the message trace results, look for the following information:
- A significant number of messages were recently marked as FilteredAsSpam. This result clearly indicates that a compromised connector was used to send spam.
- Whether it's reasonable for the message recipients to receive email from senders in your organization
:::image type="content" source="media/connector-compromise-message-trace-results.png" alt-text="New message trace search results" lightbox="media/connector-compromise-message-trace-results.png":::
In Exchange Online PowerShell, replace <StartDate> and <EndDate> with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see Use a PowerShell script to search the audit log.
Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector","Set-InboundConnector","Remove-InboundConnectorFor detailed syntax and parameter information, see Search-UnifiedAuditLog.
Open the Exchange admin center at https://admin.exchange.microsoft.com and go to Mail flow > Connectors. Or, to go directly to the Connectors page, use https://admin.exchange.microsoft.com/#/connectors.
On the Connectors page, review the list of connectors. Remove or turn off any unknown connectors, and check each connector for unauthorized configuration changes.
After you've regained control of the compromised connector, unblock the connector on the Restricted entities page in the Defender portal. For instructions, see Remove blocked connectors from the Restricted entities page.
After you identify the admin account that was responsible for the unauthorized connector configuration activity, investigate the admin account for compromise. For instructions, see Responding to a Compromised Email Account.