Security Considerations for SMTP Add-on Service Receiving Emails from Exchange Online
Hello everyone, I'm developing an email processing service for Microsoft 365 / Exchange Online customers. This service acts as an SMTP endpoint that receives all outbound emails from our customers' Exchange Online tenants via Outbound Connectors, processes them, and then relays the messages back to Exchange Online for final delivery. I found the Scenario: Integrate Exchange Online with an email add-on service page with suggestions. We're currently evaluating security risks and would like to clarify how much trust can be placed in messages coming from Exchange Online. Scenario Summary Our customers configure an Exchange Online Outbound Connector to route outbound emails to our service. We process these emails and then reinject them to Exchange Online, possibly via a smart host or authenticated SMTP relay. All emails received by our service originate from Exchange Online IP ranges, and our SMTP service is restricted to accept connections only from those IPs. Questions Can messages from Exchange Online IPs be spoofed? Given that all customers share Exchange Online's IP ranges, can an attacker: Forge the MAIL FROM envelope address? Spoof the From: header field? Impersonate another customer (tenant) using the shared infrastructure? What level of trust can we place in the envelope sender (MAIL FROM) and header From address? What security signals or headers should we rely on? Are there Exchange Online-specific SMTP headers or identifiers we can use to validate the authenticity and origin of the message? For example: Is the tenant ID or authenticated user available in the headers? Can we reliably identify the sending customer? What authentication or validation mechanisms are recommended? What are Microsoft's best practices for: Validating tenant identity for messages received via connector? Preventing cross-tenant spoofing, especially when IPs are shared? Verifying message integrity (e.g., should we re-verify DKIM, SPF?) Any other Microsoft-recommended protections? Thanks in advance to anyone from the Microsoft team or the community who can provide insights or suggestions!
Local User Account Brute Attack with EOP
Have a Hybrid scenario with Exchange 2010 on-premise. I have a program that monitors user account lockouts. Recently we have noticed several user accounts being locked out, which appears to be a brute attack originating from our Exchange Server. The User accounts are not being locked out from the O365 side and user accounts are protected with MFA. The logs from the program point out that the attack is from our on-premise Exchange server. My question is, the setup on this server has remained the same since we migrated to the cloud (ports, services, etc.) Microsoft support which is limited when it comes to Hybrid scenarios only would tell me that all of the services and ports are necessary to keep the Hybrid operational. So with that, is there any other recommendations to reduce these account lock outs. Thanks.