Problem/Incident
Technical Scenario: User sends bulk emails exceeding the limits defined by the organization policy. As defined in the Anti-spam outbound policy (Default), this user is added to the Restricted users page in the Microsoft 365 Defender portal. When they try to send an email, the message is returned in a non-delivery report (also known as an NDR or bounce messages) and the following text:
"Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender."Note: A distribution group is considered as a single recipient.
If a user exceeds one of the outbound sending limits as specified in the service limits or in outbound spam policies, the user is restricted from sending email, but they can still receive email. Microsoft 365 will notify the tenant admins when a user gets restricted.
Use the Microsoft 365 Defender portal to remove a user from the Restricted users list.
- In the Microsoft 365 Defender portal, go to Email & collaboration > Review > Restricted users.
- On the Restricted users page, find and select the user that you want to unblock by clicking on the user.
- Click the Unblock action that appears.
- In the Unblock user flyout that appears, read the details about the restricted account. You should go through the recommendations to ensure you’re taking the proper actions in case the account is compromised. When you’re finished, click Next.
- The next screen has recommendations to help prevent future compromise. Enabling multi-factor authentication (MFA) and resetting the password are a good defense.When you’re finished, click Submit.
- Click Yes to confirm the change.
Note: It might take up to 1 hour for all restrictions to be removed from the user. In case the user account didn’t get unblocked, raise a Microsoft support ticket.
User getting restricted repeatedly!
If the user restrictions happen more often, you need to create a custom anti-spam outbound policy where you can exclude the email addresses that send emails over the limit as shown below (figure 01). If this activity is unusual take the next steps to validate if the mailbox is compromised.
Anti-spam outbound policy (Default) will apply to the users excluded from the custom anti-spam outbound policy. So you need to increase the limits on the Default Anti-spam outbound policy as shown below.
Configuring Microsoft Defender for Office 365, organization’s security team can configure protection by defining policies in the Microsoft 365 Defender portal > Email & collaboration > Policies & rules > Threat policies). Below setting is under Anti-spam policy which will protect organization’s email from spam, including what actions to take if spam is detected.
As shown below default Anti-spam outbound policy (figure 02), need to increase the limits as this policy will apply to the users who are excluded from the custom anti-spam outbound policy as shown above (figure 01).
System Engineer Pro 