cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anyone know how to block/limit emails going to the External Users group?

David Osgood
Copper Contributor

‎Jan 06 2020 01:27 PM

‎Jan 06 2020 01:27 PM

Anyone know how to block/limit emails going to the External Users group?

We had a user account compromised and audit revealed multiple instances of what looks like the attacker sending emails to our External Users group (which I'm assuming to be all our clients with whom we've shared SharePoint/OneDrive sites/items, almost 600 of them).

 

This is understandably a HUGE security issue and needs to be addressed immediately.  The problem is that I can't find the group email address, ID, or anything to identify it because it's some default Microsoft group.  Nothing in Exchange Online, nothing in Azure AD... just nothing, I can't find it anywhere.

 

Multiple 365 support people are fumbling it and can't figure out what to do, yet don't want to pull in the Security/Azure/SharePoint teams.  Anybody know how to ID the External Users group and prevent users from emailing it?

 

Thanks in advance.


Dave

Labels:
674 Views
0 Likes
1 Reply
Reply
1 Reply
Vasil Michev

‎Jan 07 2020 09:12 AM

‎Jan 07 2020 09:12 AM

Re: Anyone know how to block/limit emails going to the External Users group?

Have you tried running a message trace? The "built-in" group (claim) is not mail-enabled so you cannot send messages to it directly. You either have a custom group created or the actor is simply enumerating (external) users out of your GAL/Azure AD instance.

 

Knowing the ID of the group will hardly help you here, simply block the account, change the password, revoke tokens, disable any and all Exchange protocols, and configure a transport rule to prevent him from sending further messages.

2 Likes
Reply