Anyone know how to block/limit emails going to the External Users group?

%3CLINGO-SUB%20id%3D%22lingo-sub-1093185%22%20slang%3D%22en-US%22%3EAnyone%20know%20how%20to%20block%2Flimit%20emails%20going%20to%20the%20External%20Users%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1093185%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20a%20user%20account%20compromised%20and%20audit%20revealed%20multiple%20instances%20of%20what%20looks%20like%20the%20attacker%20sending%20emails%20to%20our%20External%20Users%20group%20(which%20I'm%20assuming%20to%20be%20all%20our%20clients%20with%20whom%20we've%20shared%20SharePoint%2FOneDrive%20sites%2Fitems%2C%20almost%20600%20of%20them).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20understandably%20a%20HUGE%20security%20issue%20and%20needs%20to%20be%20addressed%20immediately.%26nbsp%3B%20The%20problem%20is%20that%20I%20can't%20find%20the%20group%20email%20address%2C%20ID%2C%20or%20anything%20to%20identify%20it%20because%20it's%20some%20default%20Microsoft%20group.%26nbsp%3B%20Nothing%20in%20Exchange%20Online%2C%20nothing%20in%20Azure%20AD...%20just%20nothing%2C%20I%20can't%20find%20it%20anywhere.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMultiple%20365%20support%20people%20are%20fumbling%20it%20and%20can't%20figure%20out%20what%20to%20do%2C%20yet%20don't%20want%20to%20pull%20in%20the%20Security%2FAzure%2FSharePoint%20teams.%26nbsp%3B%20Anybody%20know%20how%20to%20ID%20the%20External%20Users%20group%20and%20prevent%20users%20from%20emailing%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EDave%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1093185%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094997%22%20slang%3D%22en-US%22%3ERe%3A%20Anyone%20know%20how%20to%20block%2Flimit%20emails%20going%20to%20the%20External%20Users%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094997%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20tried%20running%20a%20message%20trace%3F%20The%20%22built-in%22%20group%20(claim)%20is%20not%20mail-enabled%20so%20you%20cannot%20send%20messages%20to%20it%20directly.%20You%20either%20have%20a%20custom%20group%20created%20or%20the%20actor%20is%20simply%20enumerating%20(external)%20users%20out%20of%20your%20GAL%2FAzure%20AD%20instance.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKnowing%20the%20ID%20of%20the%20group%20will%20hardly%20help%20you%20here%2C%20simply%20block%20the%20account%2C%20change%20the%20password%2C%20revoke%20tokens%2C%20disable%20any%20and%20all%20Exchange%20protocols%2C%20and%20configure%20a%20transport%20rule%20to%20prevent%20him%20from%20sending%20further%20messages.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We had a user account compromised and audit revealed multiple instances of what looks like the attacker sending emails to our External Users group (which I'm assuming to be all our clients with whom we've shared SharePoint/OneDrive sites/items, almost 600 of them).

 

This is understandably a HUGE security issue and needs to be addressed immediately.  The problem is that I can't find the group email address, ID, or anything to identify it because it's some default Microsoft group.  Nothing in Exchange Online, nothing in Azure AD... just nothing, I can't find it anywhere.

 

Multiple 365 support people are fumbling it and can't figure out what to do, yet don't want to pull in the Security/Azure/SharePoint teams.  Anybody know how to ID the External Users group and prevent users from emailing it?

 

Thanks in advance.


Dave

1 Reply
Highlighted

Have you tried running a message trace? The "built-in" group (claim) is not mail-enabled so you cannot send messages to it directly. You either have a custom group created or the actor is simply enumerating (external) users out of your GAL/Azure AD instance.

 

Knowing the ID of the group will hardly help you here, simply block the account, change the password, revoke tokens, disable any and all Exchange protocols, and configure a transport rule to prevent him from sending further messages.