Hosted Exchange, can receive but not send

[HCHTech]

I have a client with about 30 employees. They are on hosted Exchange with a Microsoft tenant. The workstations are running a mix of Office 2013 and 2016. Today, one employee (running Office 2013) started getting bounce messages when she sent email to anyone, either internally or externally, as follows:

==========
Your message did not reach some or all of the intended recipients.

Subject: RE: Testing
Sent: 8/2/2017 8:22 PM

The following recipient(s) cannot be reached:

'Redacted' on 8/2/2017 8:22 PM
This message could not be sent. Try sending the message again later, or contact your network administrator. The client operation failed. Error is [0x80004005-0x80004005-0x000501].
==========

They also heard from a couple of clients that had received junk emails from this employee. Typical phishing subject line, "Remittance-Invoice for PO#23477" with a bogus Docusign link to see the invoice.

So...someone hacked her email account or something. We immediately changed her email password, and ran full malware and antivirus scans on her workstation (both came back clean). I have been through her account on the Office365 Admin and Exchange Admin screens, and nothing looks out of place, yet she still cannot send email.

Note everyone else at the company is sending and receiving email just fine.

Googling this error has not borne fruit. Old posts dealing with Exchange 2003 suggest to delete the OST file and let it recreate. Didn't help in my case.

I checked the client's domain for blacklisting - it's clean.

Then, I logged onto Office365 as the affected user and tried to send an email there. It failed as well, with this more-helpful message:

"Error: Your message can't be sent because you've reached your daily limit for message recipients"

Ok. So there you go - her account got hacked, it sent out 200 emails or whatever our limit is, and she's been cut off for the day. My first reaction, is why there isn't a big, red, flashing message when I log into the Exchange Admin that one of the users tripped this limit? Or...why doesn't the bounce message alert you to the real problem?

The next question is, I wonder what the limit is? I go through the admin screens again looking for where the limit is set and don't find it. Then, I search and find this page - Uh Oh. It looks like the built-in limit for recipients per day is....wait for it.....10,000 per day. Ouch - I hope the spammer didn't send 10K emails, but it looks like they did. There is a separate message rate limit of 30 per minute, but the error message clearly says they exceeded the daily limit for message recipients. Crap.

Ok, so now I go looking for a way to lower this limit...to no avail. I KNOW you can set these limits with on-premise Exchange. It doesn't look like you can change them with hosted Exchange. Awesome.

I think I'm going to take another run at getting this client to agree to having passwords expire more often than NEVER. We're using the standard complexity requirements, and when we first went to hosted exchange in 2014 we were using a 6-month expiration, but the first time one of the partner's passwords expired while they were travelling they requested changing the rule to never expire. I caved.

Please learn from my failure the next time one of your clients asks you to eliminate password expiration or complexity requirements.

 

[Sky-Knight]

Open a support ticket with Microsoft in your 365 panel, they'll call you back and get you the information you need.

You can set just about everything on O365 but many things are powershell only.

 

[TurricanII]

You can also turn on logging in Office 365 to see all the failed logins from China. Hope the Microsoft security team is blacklisting these IP blocks.

 

[HCHTech]

Open a support ticket with Microsoft in your 365 panel, they'll call you back and get you the information you need.

You can set just about everything on O365 but many things are powershell only.

So you cannot set anything I want, in fact.

Heard back on my ticket today. You can NOT lower the 10,000 per day limit. The limit used to be 3,000 per day and you could INCREASE it by asking Microsoft, but since they moved everyone to 10,000, you can't adjust it.

You cannot change the password complexity requirements. They are what they are - 8 characters minimum then must use 3 of the 4 character types: Uppercase, Lowercase, Number, Special.

You cannot have a minimum password age (keeps people from changing their password 5 times in a row to get the one they want if you have a history requirement).

You cannot change the history requirement, and the default setting is only that you can't use the existing password when changing it.

Confirmed here. See the section on "Password policies that apply only to cloud user accounts".

Note that you can install and use ADConnect to synchronize your on-premise active directory with Office 365. If you do this, then your active directory password policy will override the Office365 password policy and you can have more control. I don't think this is a path I want to go down, but it may just be worth the effort. I can imagine it going wrong about 90 different ways.

 

[Sky-Knight]

Trust me that AD Sync process has far more than 90 ways to fault... I do not recommend it.

 

[nlinecomputers]

Two factor authentication. Turn it on now. And get better web filtering so they are not falling for phishing attempts.

 

[nlinecomputers]

So you cannot set anything I want, in fact.

I think you can do all of that with E3 accounts. Want enterprise level security gotta pay the enterprise rate.

 

[HCHTech]

I think you can do all of that with E3 accounts

Do you have a link perhaps? I've done some digging, but it's not obvious. You can add their "Advanced Threat Protection" module to any plan, but I don't think that's it. I found the wonderful quote that E5 contains "Some additional security goodies", but no link to explain. Maybe they send you cookies - who knows?

 

[nlinecomputers]

E3 allows powershell so any command you can do in powershell you can run against the o365 stack.

 

[HCHTech]

I think you can do all of that with E3 accounts. Want enterprise level security gotta pay the enterprise rate.

I guess I'll investigate the powershell angle. The response I got from support when I asked if any of the higher level plans would support better security, was this:

"I talk to my manager and i was told that there is no option to change the password complexity, minimum password age or other options. All of the Office 365 license will give the same option that is Password never expire. The only way is using ADConnect."

So...English not their native language, I guess, but support wasn't exactly helpful -no surprise.

It seems you have more experience with O365 items than I do - have you ever successfully done a modification like this using powershell? There is no point attempting to sell them on the idea of upgrading if the goal cannot be reached.

 

[nlinecomputers]

Have you seen this? http://www.grishbi.com/2014/10/disable-password-complexity-office-365-users/ and https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy