How to restore mail flow after Office 365 mailbox user was automatically restricted?

Question

Recently had an Office 365 account compromised from a phishing website, which then sent out a mass-mail. Their email otherwise continued to function. Seeing the spam mail, I blocked the phishing site and reset the user's password. When they logged back in they weren't able to receive or send email, presumably because they were automatically added to "Restricted Users" in Office 365 Security & Compliance.

I removed them from this list by selecting to "Unblock" their account, but mail flow has not been restored several hours later.

I've been checking wherever I can think of in Microsoft 365 admin center, Security & Compliance and Exchange admin center, (including Get-BlockedSenderAddress through the Exchange Online PowerShell as suggested on Removing a user from the Restricted Users portal after sending spam email) for something I've missed but I can't seem to find the issue.

Any suggestions on where I should look? I haven't found indication of an error, although there's probably one somewhere. For instance mail sent from the account appears in "Sent" although goes nowhere. Outlook and web-based mail are behaving the same. I feel like I'm missing something obvious?

Microsoft provides fee support for Office 365. Open a service request from your O365 tenant. — joeqwerty, Mar 14 '20 at 03:02

score 1 · Answer 1 · answered Mar 16 '20 at 06:26

1

Glad to know this issue is resolved by yourself. You could mark it as answer.

Or you also could use message tracking to check what process is blocking this message. How to Tell Which Transport Rule Was Applied to an Email Message https://practical365.com/exchange-server/tell-transport-rule-applied-email-message/

answered Mar 16 '20 at 06:26

Jayce

769
4
5

Hah. Thought when I "answered my own question" it would auto-mark it answered. Guess I didn't pay attention! – Christopher Galpin Mar 16 '20 at 10:21

score 0 · Accepted Answer · answered Mar 14 '20 at 03:12

0

Solved. Apparently the compromise created this incoming mail rule:

I then selected the conversations from "Deleted Items" and did right click -> Stop ignoring.

answered Mar 14 '20 at 03:12

Christopher Galpin

671
6
18

One of our users was restricted for sending out suspicious emails based on our spam policy. We unblocked the user, a few hours later the user was able to send out emails, but did not see emails coming in. I logged in as the user searched her RSS Feed folder and found all the incoming emails there. I then went into settings - rules - and noticed the "If a message arrives in my inbox, mark the message as Read, move the message to the folder 'RSS Feeds' and stop processing more rules on this message." not sure why this exists, but after unchecking this option we tested her emails and it works. – RJCad Jun 03 '21 at 14:26

How to restore mail flow after Office 365 mailbox user was automatically restricted?

2 Answers2