Jan 04 2018
- last edited on
Feb 06 2023
We turned on the group auto delete option, (because users are creating tons of junk groups), but now we have another problem.
For years we have been training end users to ignore any email that looks like it's a phishing attempt. What are some signs of a phishing attempt you ask? Emails that say things like "Action required", or "You must do this or something bad will happen". Key words to get people to act before they stop and think about it.
Then, after a few other problems, we started stamping every email that comes in from outside the company as "External" in the subject line. That way it highlights to the employee that this is not an internal IS email.
Now users are getting the 0365 group renewal notices, and since they look like obvious phishing attempts, (they are stamped External so that makes them look even more suspicious). the users are not clicking on Renew, so then the group gets auto-deleted. :(
So we are trying to figure out how to handle this. One option would be to whitelist anything from microsoftonline.com, but we don't want to do that. Another option would be to whitelist anything from microsoft's IP block, but we really don't want to do that and get crap from everyone on MS's cloud.
So we are thinking about a whitelist for things that come from both microsoftonline and MS's IP range. Instead of "External" we'd put in something like "Trusted Sender" or something like that.
Does anyone see any problems with that? And if not, does anyone know MS's IP block? I had it at some point in the past, but now I can't find it.
Thanks for any suggestions.
P.S. It would REALLY be nice if MS would give us the ability to customize these messages so that the users would think it's coming from our IT department.
Jan 04 2018 11:41 AM
I was wondering if a Flow could do this for you instead...alas there isn't a pre-built trigger for group creation. Seems like a hole to me in the triggers and actions. That way you could control the process.
I suppose that you could trap for the emails by content (they all have the same basic format) using an Exchange Rule and then route them to a specified mailbox and trap that with a Flow trigger. That would at least allow you to track this is happening and even assign some tasks to a person. In theory you could call a PowerShell cmdlet to remove the group after the owners respond.
Jan 04 2018 12:11 PM
If you wanted to, you could create your own version of the "expired" groups functionality with PowerShell. I explained how and provided an example script in the post at https://techcommunity.microsoft.com/t5/Office-365-Groups/Identifying-obsolete-Office-365-Groups-is-m...
Jan 04 2018 01:34 PM
Thanks for the response. When I click on your email below I get the post you made on this site, but then when I click on the link in that post, (the one going to iunity.com), I get an error about "
I'd really like to see that article, so if you have another link to it I'd love to see it.
Jan 04 2018 01:41 PM
Looks like ITUnity.com is down. I know that Blue Whale Web (the owner of the site) is revamping its properties, so this might account for the problem. The script is in the TechNet gallery at https://gallery.technet.microsoft.com/Check-for-obsolete-Office-c0020a42 (I just checked). I shall have to see if I have a copy of the article somewhere.
Jan 05 2018 08:55 AMSolution
I found a copy of the article and will republish after I refresh it (eighteen months is a long time in the cloud). I am also going to update the script so that it reports some information about Teams... You'd have to do the work to generate email etc., but that's not all that hard.
Jan 05 2018 09:16 AM
Thanks for your help with this. I'm extremely dangerous with powershell, so I'm more than happy to copy and paste someone else's work. Especially someone who knows what they are doing. :)
Jan 05 2018 10:21 AM
Just because someone can write a script is no indication of proficiency. At this point in my career, I am a hacker rather than a programmer, and proud to say that I enjoy hacking with PowerShell.