Forum Discussion
Tenant blocked from sending email
Last Monday, our entire Office 365 domain was blocked from sending email. The reason was because "The majority of traffic from this tenant has been detected as suspicious and the tenant has been restricted from sending email. Investigate any potentially compromised user/admins, new connectors, or open relays and contact support to unblock your tenant." We started getting this error whenever we sent an email outside of our domain: '550 5.7.705 Access denied, tenant has exceeded threshold. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653 AS(1231) [SG2PR01MB2840.apcprd01.prod.exchangelabs.com]'
I contacted support through the Office 365 portal and we went through a number of checks to see if we could figure out what was causing the spam emails. We checked the Exchange connectors, and also the top senders report, and ran some message traces for the last few days. However, nothing out of the ordinary was found. A normal amount of emails was been sent out each day, according to the Exchange reports. The top sender was only sending about 1000 emails out over a few day span, and all those emails were legitimate. We also reset the passwords on our admin accounts, and made sure that MFA was turned on. Since we could find no evidence of spam emails being sent out, we requested for our tenant to be enabled again, and it was enabled a day later. However, we had not found any root cause for the issue, so I was quite concerned that we would just be blocked again. Of course, that is what happened, and a few days later our tenant was again restricted from sending external email. I worked with the Office 365 support again, and they sent me this log about why our tenant was blocked: totalOutboundRecipients24Hours=50016;OutboundSpam24Hours=49974;OutboundUnprovisionedMail24Hours=3;TenantAgeInDays=3648;TotalSeatCount=1504000;TrialSeatCount=0;MessageId=d6dd41b3-de91-4b7a-cf4a-08da828eea96;SnapShotStatus=1
So according to this, we sent out over 50,000 emails within 24 hours. But the thing is, the Exchange message trace and reports don't show this at all. And on top of this, we have an anti-spam policy that limits any individual user to only send a maximum of 1000 emails per day. So I don't understand how we can be sending out that many emails, unless 50 different accounts are each sending 1000 emails. But again, there is nothing in the logs to indicate this. Also concerning is the total seat count in this log. Because if that reflects the number of users that is wildly incorrect. According to Azure Active Directory we have under 3000 users and the majority of those don't have Exchange mailboxes. The information that we really need is what are the details of these emails getting sent out. What IP are they coming from and also what sender are they coming from? Why are they not showing in the message trace or reports?
The issue is that I've been getting nowhere with Microsoft support, even after doing a paid support request. They aren't able to give me any logs of these emails going out. Is there anybody out there that has run into a similar issue? Is it possible for emails to go out of your domain but not show in Message Trace or any other reports?
To me, it seems like something is faulty with Microsoft's monitoring and somehow other emails are been marked as coming from our domain when they actually aren't, because if they were, they would show up in our message trace logs.
Thanks for any help anyone can provide.
Joel
7 Replies
Having the same, been blocked twice in 4 months on a small tenant of 8 users, only sending 30-50 emails a day, MS claim they detected 15000 outbound emails both times, yet all logs/reports are completely clean.
I also suspect that MS is incorrectly attributing spam to the wrong tenant, or there is a flaw/vulnerability allowing spammers to obfuscate/hide/delete/attribute email.
Either way I'm 100% sure the issue is on MS side.
Also getting the run around with support it seems they have no intentions of taking this seriously and that it will just bounce around low level support till we give up on it.Sorry to hear that. I never got anywhere with MS support, even after doing a paid support request. There was never an actual resolution. They eventually just enabled our domain, and then thankfully it hasn't been blocked again since August 2022. I'm always fearful that the same thing will happen again, especially since there was no explanation of how it happened.
eagles1927I found the root cause of this issue 🙂
SharePoint did it.Guest users in the client's SharePoint had configured alerts on the document library, these alerts triggered for file change actions.
So when a large number of files were changed, SharePoint attempted to send 2 external users 1 email per file change, according to the SharePoint logs that was 97000 the first time 20000 the second ect.
SharePoint email notifications do not show up in your exchange as outbound (you will get an inbound trace if you are sending the alerts internally) but it appears MS will count them against the sending limits and lock your tenant. I'm not sure if internal ones would also cause your tenant to lock, but you would find it easily as you would see hundreds or thousands of them being delivered in message trace.
On a side note it was difficult to locate the correct Settings menu within SharePoint as the GUI would not let you navigate there directly, i had to go to the document library site home page and append "/_layouts/15/settings.aspx" to the URL to actually access the correct alert settings under 'user alerts', using the GUI we could only access the default site settings witch had no documents or alerts configured.
Also turning off alerts with the global settings/options had no impact on the user defined alerts (there may be a method using powershell but the GUI cannot be used to stop them)
It may also be possible that something like defender alerts could also cause this issue as i believe both SharePoint and defender use the same email setup, although it's far less likely you would have an alert setup that would trigger so many alerts and send the notification externally, but i can confirm these also do not show up in message trace for outbound.
Hello eagles1927
Here is Ahmed, I'm a community visitor and user like you!
Let me try help you today:
Common causes for exceeding threshold:
- Sending bulk mail. Bulk mail violates the [Office 365 Sending Limits](https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits) .
- [Compromised admin accounts] (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide)
For more details about this: https://solyoutionz.com/5-7-705-access-denied-tenant-has-exceeded-threshold/
*Please keep in mind that you need to reopen the case with MS Support, that they have the proper tools. Please advise them to release the threshold. and the steps above help You and Them ti understand the case better and to understand all its aspects.
If my solution was helpful, please mark this question as answered and consider giving it a thumbs up.
Your positive feedback motivates me to continue assisting others.
Thank you for letting me be a part of your journey to finding a solution!
Ahmed 🙂Same with my tenant, required MFA for all 365 services. Received alert with 40k outbound spam in 24hrs while message trace showed 11k email inbound and outbound total in 2 days. Can not find out where the remaining came from. MS support keep saying working with backend team but no report or detail about spam flow. Don't know what happen here.
