What happened
We saw spoofed messages and rogue auto-forward rules spreading from a few mailboxes. Root cause looked like mailbox rules + legacy SMTP AUTH exposure, not a server breach.
What we did (playbook)
- Containment (no downtime): remove mailbox forwarding, delete suspicious inbox rules, and disable SMTP AUTH per mailbox (modern Outlook/OWA unaffected).
- Tenant guardrail: block external auto-forward on the default remote domain.
- After-hours cleanup: revoke sessions, reset passwords (force change), review/remove any unwanted OAuth grants.
- Hardening: enforce MFA/Conditional Access and disable org-wide SMTP AUTH only if not needed by devices.
- Verification: run a quick status report across affected users.
Grab the scripts (sanitized)
These are generic, no tenant data, and read users from a CSV:
- GitHub Repo: https://github.com/jetdev2731/m365-email-containment-scripts
10-Exchange-Containment.ps1— clears forwarding, deletes suspicious rules, disables SMTP AUTH per mailbox30-Tenant-Guardrails.ps1— blocks external auto-forward on the “Default” remote domain20-Graph-RevokeAndReset.ps1— revokes sessions, resets passwords (force change), exports OAuth grants for review40-Unblock-And-Resecure.ps1— post-cleanup fresh reset + ensure sign-in enabled90-Status-Report.ps1— quick compliance/status check00-Inputs.ps1— loadsusers.csv(headerUserPrincipalName), optional safety toggles
How to run (summary)
Set-ExecutionPolicy RemoteSigned -Scope Process -Force
cd .\scripts
.\10-Exchange-Containment.ps1 -OutputDir .\
.\30-Tenant-Guardrails.ps1
# After hours:
.\20-Graph-RevokeAndReset.ps1 -OutputDir .\
# Once endpoints are clean:
.\40-Unblock-And-Resecure.ps1
# Verify anytime:
.\90-Status-Report.ps1
Lessons learned
- Turn off legacy SMTP AUTH where possible.
- Monitor and block external auto-forward org-wide.
- Enforce MFA and Conditional Access for all M365 apps.
- Regularly audit inbox rules and OAuth consents.
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.