Forum Discussion
Anyone know how to block/limit emails going to the External Users group?
We had a user account compromised and audit revealed multiple instances of what looks like the attacker sending emails to our External Users group (which I'm assuming to be all our clients with whom ...
Have you tried running a message trace? The "built-in" group (claim) is not mail-enabled so you cannot send messages to it directly. You either have a custom group created or the actor is simply enumerating (external) users out of your GAL/Azure AD instance.
Knowing the ID of the group will hardly help you here, simply block the account, change the password, revoke tokens, disable any and all Exchange protocols, and configure a transport rule to prevent him from sending further messages.