3

Yesterday my company was hit with a new trojan that uses the old social method of "it came from someone I trust" to suspend user's suspicion (and rationality) and it was opened and run.

During the course of finding, containing, and eliminating this thing I used the Exchange Online (Office365) Transport Rules to block all outgoing email from the infected users (and send me the blocked message). After I was sure that the bug was squished I unchecked the Transport Rules, but found that the users still could not send. Then I Deleted the Transport Rules, and tested with one user, and some went through, while some got blocked.

I used Powershell to log in and Get-TransportRule does not show the rules that are still (occasionally, randomly) blocking these users after a half-hour.

How long is it supposed to take? How long until I start a ticket process? Or did I miss something?

Alderin
  • 63
  • 1
  • 1
  • 8

2 Answers2

5

Changes to Transport Rules take effect after about 15 minutes in my experience.

In Azure AD, the process called Forward Sync is leveraged to push updates to objects throughout the infrastructure. I do not know if Transport Rules are objects that use this mechanism or if it is a separate Exchange process.

In O365, this will really depend on your organization's size and distribution throughout Microsoft's datacenters. I have 10,000+ users in O365 Shared, so things take a while.

Specifically, the Technet articles for Exchange Online and Exchange 2013 differ. Exchange 2013 help explains that replication time for transport rules relies on Active Directory replication. I can only hope/assume that Exchange Online uses the Azure AD solution, but there is no mention of it whatsoever in the Exchange Online help.

blaughw
  • 2,242
  • 1
  • 10
  • 17
  • Thanks, that's about what I expected. My organization is just over 100 users, so I wouldn't expect it to take quite so long. – Alderin Nov 04 '15 at 20:57
  • It will _really_ depend where each user is. Even if you only have 100, they're likely spread out to various datacenters. If you do just a simple `Get-Mailbox` in Exchange Powershell, you will see that `ServerName` is likely different for a wide number of users. The first 3 characters in ServerName are the location prefix. I haven't been able to nail down these codes to exact locations for every site yet. – blaughw Nov 04 '15 at 21:24
1

I would run a quick trace (well as quick as O365 will let you run a detailed trace) to be sure it's the transport rule causing the problem. For the most part I find they kick in and out pretty quick. I think the longest I waited to see one work was 10 minutes. I'm not sure what the official line is. I would definitely open a ticket - it will take a couple hours for them to get back to you anyway.

If you had some outgoing issues - it's possible Microsoft detected it and has blocked some users for you. If that's the case - you have to open a ticket to get them unblocked as well.

Jesus Shelby
  • 1,284
  • 9
  • 14
  • The rule was configured to send me a report for each blocked message, so I am sure it is the rule still applying because I am getting the report. I couldn't find an "official line" either. Thanks for the advice, I've opened a ticket. – Alderin Nov 04 '15 at 21:00