MC365410: Suspicious Connector Activity Alert

Updated August 9, 2022: We have updated the rollout timeline below. Thank you for your patience.

Updated July 7, 2022: We have updated the rollout timeline below. Thank you for your patience.

As a security platform, we strive to continuously improve and protect our customers. In May, we plan to start rolling out a new alert for suspicious activities in an inbound connector. For information on connectors, please visit Configure mail flow using connectors in Exchange Online | Microsoft Docs.

When this will happen

We will begin rolling out in late May and expect to complete by late August (previously late July).

How this affects your organization

When suspicious activity (for example: compromise) is detected, relayed mails will be blocked from the inbound connector, and the administrator will receive an email notification and an alert under https://security.microsoft.com/alerts. This alert will provide guidance on how to investigate, revert changes and unblock a restricted connector. To learn how to respond to this alert, please visit: Responding to a Compromised Connector.

Additionally, we will introduce some new changes in the existing Restricted users page (https://security.microsoft.com/restrictedusers) in order to support this improvement. The changes are the following:

Current Experience

Future Experience

To learn how to remove a blocked connector from the Restricted entities page, please visit Remove Blocked Connector From Restricted Entities Portal.

What you can do to prepare

Impacted customers are recommended to become familiar with the following instructions before rollout happens.

• Responding to a Compromised Connector
• Remove Blocked Connector From Restricted Entities Portal

Message ID: MC365410
Published: 29 April 2022
Updated: 09 August 2022
Platform: Online, World tenant