UPDATE : Microsoft blocked my CPA client's emails the day before the tax deadline
Posted by Lord_Amoux@reddit | sysadmin | View on Reddit | 34 comments
Original post: https://www.reddit.com/r/sysadmin/comments/1smki1f/microsoft_blocked_my_cpa_clients_emails_the_day/
After no response from Microsoft for 15 hours, we received an email this morning from Microsoft.
"Our backend engineer has provided the reason for the access block. The block is related to the following applications that were created in the tenant:
AVANAN Cloud Security Platform – Emails V2
Huntress Security Platform (Direct)
To proceed with the remediation, could you please revoke the access for these applications from the Entra Admin Center"
Two enterprise applications with verified publishers. Huntress, a company that literally collaborates with Microsoft for their security services, is what Microsoft calls a reason for blocking an entire tenant for 3 days from sending out any emails.
So what does that mean? Everyone that uses Huntress or Avanan will be blocked from emailing? Guess we'll find out.
PCLOAD_LETTER@reddit
You got a response from MS in 15 hours?
GeorgeWmmmmmmmBush@reddit
We honestly give MS too much of our money for them to jerk us around as much as they do.
nut-sack@reddit
You should demand competent support that resides in the US.
Royal_Bird_6328@reddit
Very bizzare. What do the message trace results say?
Lord_Amoux@reddit (OP)
All they say is that "Office 365 received the message that you specified, but couldn't deliver it to the recipient" Error: The message was not delivered.
Antarioo@reddit
As long as the email signature reads indian names you've not moved past the gopherdesk and they're throwing copilot hallucinations at you.
humor them for as little as you possibly can and press extremely hard for an escalation to a technical team.
but be prepared for this to take several weeks to accomplish
Lord_Amoux@reddit (OP)
Fortunately, Pax8 has looped us in with a VP of the Power Platform at MS
CFH75@reddit
What does a message trace say?
Secret_Account07@reddit
I’ve been following this journey as I’m interested
If I had to guess OP didn’t do anything wrong. Why one tenet with same config? Volume doesn’t explain it either imo. Even as a percentage that’s quite low in increase
If MS wants to do this they need to articulate the real reason. Even something.
That’s like if you shut down my env and said it was cuz of Defender. Like uhh okay what?
CeC-P@reddit
That's probably tortious interference with business as well as monopoly abuse. You should forward the email to both companies and tell them to sue.
Public_Fucking_Media@reddit
Honestly I think it could be a partial red herring...
NDR 5.7.705 is absolutely caused by Microsoft's automated tools, so it was picking up SOMETHING anomalous coming from your domain - since its tax season and ya'll are small, it could be a bunch of different things combined even (significant increase in sends, significant increase in new domains sent to, increase in attachments, hell even an increase in "financial" type emails I've seen get flagged)
On top of THAT, I'm pretty sure Avanan v2 does use its access to read (and stop malicious) email as it goes out, and that manipulation might be getting seen by Microsoft, so they want you to turn it all off as well.
Lord_Amoux@reddit (OP)
They do have more emails sent relatively speaking in the last month or so... but context should be taken into account and it's probably not with any of MS automation. This is an office that works in tax preparation, so of course they will have a spike in sent and received as the tax deadline comes. But even here, we're talking an increase of maybe 100-150 emails over baseline.
I think Avanan monitors outgoing but we do not have inline protection enabled in Advanced Settings for Outbound email. Only inbound.
Public_Fucking_Media@reddit
Nobody does that kind of email context-taking, consider the scale at which Microsoft sends emails it would be impossible...
Lord_Amoux@reddit (OP)
Then it shouldn't be automatically blocked with no quick way to resolve it. We're talking 300 emails over a week causing a full stop. In my experience, every time I've seen a tenant block it's because there's an obvious spam campaign going on and thousands upon thousands of emails are sent out at the exact same time.
Even then, it took Microsoft less time to unblock those tenants...
Sobeman@reddit
Yea I don't really believe that's the issue. Either you have grossly misconfigured these applications or you are getting a copilot response
Lord_Amoux@reddit (OP)
We have ~ 30 other tenants running the same stack with no issue in the same configurations
Woeful_Jesse@reddit
My guess is maybe some automated tool thought anything sending copies of all mail was a malicious man in the middle attack?
Nate379@reddit
That's insane, we run both of those with almost every client we have.
Lord_Amoux@reddit (OP)
u/huntresslabs have you had any similar incidents with Microsoft?
seriously_a@reddit
That’s very concerning as we use a similar stack.
Hopefully huntress and avanan chime in with insights.
cubic_sq@reddit
Avanan is the most commonly misconfigured mail filter.
What we see - when avanan injects mail back into the tenant, the tenant then performa a dmarc compliance check. And bang.. mails are rejected or quarantines.
Lord_Amoux@reddit (OP)
It’s not that Avanan itself is doing any rejection in this case. We removed it yesterday for testing and the emails were still blocked from outgoing. MS is telling us that having the enterprise applications installed in the tenant are the reason it was flagged and blocked.
cubic_sq@reddit
One case late last year we were involved with (not our customer, was the other aide) “removing avanan” did. To actually remove it we needed to cleanup the enterprise app as well (meaning, full deletion).
Lord_Amoux@reddit (OP)
In this case they want us to fully remove Huntress and Avanan because the apps themselves are flagging the tenant to be blocked. As if they’re malicious applications
cubic_sq@reddit
Interesting. Possible that huntress behaves similarly to avanan?
Lord_Amoux@reddit (OP)
It doesn’t do anything with mail flow AFAIK, it only monitors accounts for mailbox rules, login locations, etc for anomalies
cubic_sq@reddit
Not used huntress to know ita mechanism of operation. That said, its obviously on the m$ internal kb as an issue??? Thus it must be the source of a significant number of support cases?
hdfga@reddit
Interested in hearing if they give any more info. Just having an enterprise app in your tenant should not be a reason for this - unless there was some other suspicious activity with the app.
thesysadm@reddit
We run those in tandem and no issues with our tenants… You loop in your reps so they can investigate with their M$ contacts?
Lord_Amoux@reddit (OP)
We also run them in tandem for many others with no problems. We'll be looping in the necessary people. The main issue is that a randomly cherry-picked tenant can be fully shut down for using the same applications as every other tenant.
thesysadm@reddit
Yeah, not a fan either but I also don’t trust Microsoft’s response. Can’t say much for Avanan but I feel Huntress would be all over this.
Conscious-Cut6259@reddit
Wow. Did you just onboard Huntress and Avanan or were there any big changes on your instances of those that could have caused this? Any custom API stuff? I am just wondering if you were the only one affected by this
Lord_Amoux@reddit (OP)
We onboarded them over a month ago, both applications have been working as expected. Mail flow, account monitoring, all functions have been working fine.
Witty-Culture-5978@reddit
No problem with avanan here