Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Stop external emails being sent directly to the onmicrosoft.com ailiases

My organisation is using a 3rd party mail gateway in front of Office 365. However we have discovered that sending emails directly to the aliases: @<domain>.mail.onmicrosoft.com and @<domain>.onmicrosoft.com bypasses our mail gateway allowing malicious emails through.

It should be made clear that these aliases should be locked down either by a transport rule or by being able to change the MX records, the latter not being possible at this time.

90 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
James Kramer shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

9 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • RazvanB commented  ·   ·  Flag as inappropriate

    You can create an Inboud connector which allow emails only from your Edge server by checking its certificate : New-InboundConnector –Name "Reject mail not routed through MX" -ConnectorType Partner -SenderDomains * -RestrictDomainsToCertificate $true -TlsSenderCertificateName <on-premises certificate subject domain> -RequireTls $true

  • Kevin commented  ·   ·  Flag as inappropriate

    If you have a third party spam filtering service, and do not want to allow messages that haven't gone through it, You could make a connector to redirect messages with no headers for the filtering service to the spam filtering service, to be filtered.

    Or, alternatively, just add a transport rule that anything received from somewhere other than the spam filtering service gets rejected

  • roro commented  ·   ·  Flag as inappropriate

    As the email resolves to the primary domain alias, you can use the header and a regular expression for this, Would be something like this:

    If the message...
    'To' header matches the following patterns: '[[\w]-.@]+onmicrosoft.com'
    and Is received from 'Outside the organization'
    Do the following...
    Deliver the message to the hosted quarantine.
    Except if...
    sender ip addresses belong to one of these ranges: '1.1.1.1'

  • Speaker commented  ·   ·  Flag as inappropriate

    As mentioned below.

    Unfortunately the email resolves to the primary domain alias, it won't hit the transport rules. Still looking for a solution.

  • Vinod commented  ·   ·  Flag as inappropriate

    M0355 should be able to fix this basic loop hole!
    Alternatively run a rule to deny all messages from @domain.onmicrosoft.com to reach to users mailbox.

  • Bestofluckmicrosoft commented  ·   ·  Flag as inappropriate

    This is a big security loophole and really unfortunate that Microsoft is not looking into it seriously , same issue happened to us and we raised ticket with Microsoft but they don't have any solution yet :(

    its Sad!

  • Aldrich commented  ·   ·  Flag as inappropriate

    we found that most of the organization doesn't know that domain.Microsoft.com address is available on their accounts and its not protected. This is targeted by attackers now and Microsoft doesn't have solution to block incoming email to this address.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Unfortunately the email resolves to the primary domain alias, it won't hit the transport rules. Still looking for a solution.

  • Jacob S commented  ·   ·  Flag as inappropriate

    All you need is a transport rule that says,
    If the message...
    recipient's address domain portion belongs to any of these domain: 'domain.onmicrosoft.com'
    and is received from 'Outside the organization'

    Do the following...
    Delete the message without notifying the recipient or sender

    Put that at the top of your rules and you're done. Maybe this should be the default, or they should walk you through doing this when you add an external domain. I'm sure that there are some people that are using the domain.onmicrosoft.com domain for email.

Feedback and Knowledge Base