Threat Alert Policy

Question

We recently had a user whose email account became compromised as a result of them clicking on a link and entering their credentials. We took the recommended steps. By the time we got to know about it hackers had already sent out a mail merge of 74k emails disguised as said user. He started to get x amount of non deliverables and peoples OOO. In turn this suspicious activity did lead to our tenant being blocked by Microsoft (this has now been resolved).

Now we do have an email sending limit exceeded policy tied to our outbound spam policy which is set at a limit of 10k a day, but we didn't get an alert for this incident. The policy does work as we have users in a certain department that trigger it when the mail merge.

Has anyone got any ideas why a0 it didn't trigger the alert for this incident and b) what threat alert policy can we put in place so if this ever happened again we will be alerted sooner than later.

Thanks

LJ

eliekarkafy · Answer

madual&nbsp;you need to revisit your anti-spam and phishing threat policies and configure them as per best practices. also make sure to configure SPF, DKIM and DMARC as well&nbsp;&nbsp;
&nbsp;
Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn
&nbsp;
Email authentication in Microsoft 365 | Microsoft Learn

madual · Answer

eliekarkafy everything is configured as it should be.

Forum Discussion

Threat Alert Policy

Share

Resources