Help Desk - Common Account Problems After Accounts Disabled by Security are Re-Enabled
Background:
If UW-Madison's Office of Cyber Security determines a NetID account has been compromised, the Office of Cyber Security proactively disables the account. This is done to prevent further damage to a user's personal information as well as stop a phishing message from spreading to other user's email inboxes, putting them at risk.
The best way to avoid account complications is to follow good personal security measures and always be skeptical of emails soliciting login information. You can learn more about phishing here: Microsoft 365 - Learn about junk email and phishing.
More on how UW-Madison users can recover their account after it was disabled because they replied to a phishing email can be found here: Phishing Detection and Remediation.
Some of the measures taken by UW-Madison's Office of Cyber Security to ensure user protection can cause temporary errors with NetID and Microsoft 365 email login as well as email delivery. Additionally, users may sometimes experience issues related to account changes made while the account was compromised but before UW-Madison disabled the account. The following errors are the most common errors the Help Desk has seen following a user reactivating their NetID and their solutions.
Common Errors, Problems, and Irregularities:
No New Emails Arrive in the Inbox, Even on Outlook Online
Problem:
Since being able to log into the account again, you have noticed that no new emails have arrived in the inbox, even if you send test emails to yourself.
Cause:
Some sophisticated phishing attacks automatically add an inbox rule to your Microsoft 365 inbox, so they can send large amounts of spam emails from your email account without you receiving any bounce back emails, emails from the Microsoft 365 "Postmaster", or emails from others replying to the spam emails alerting you that your account has been compromised.
Solution:
- Delete the inbox rule that appears to either delete all incoming messages, or messages from "Postmaster". For instructions, see: Microsoft 365 (Outlook on the web | Outlook for Windows/MacOS) - Using Inbox Rules.
- You can now attempt to recover items that have been deleted during the existence of that inbox rule. Use Microsoft's instructions to recover a deleted item. Important: At this time, Outlook 2016 for Mac does not have the ability to restore an item - use Outlook on the web instructions instead.
Note: If you are unable to recover deleted messages using that step, there are no further steps you can take. UW Madison does not keep backups of Microsoft 365 email messages.
- Send yourself a test email to check your work.
An Email Client Has Stopped Working, but Outlook Online Gets New Emails.
Problem:
After the time the account was disabled, an email client (usually a non-Outlook client) stops work, or does not function correctly.
Cause:
Although all officially supported Microsoft 365 email clients use modern authentication, some users of non-Microsoft clients (i.e., Thunderbird) may require basic authentication in order to connect. Only those users (at this time, IMAP users, POP users, and users of older iOS devices) should require Microsoft 365 Password Security to be disabled. Toggling this setting may be required for newly activated NetID accounts, newly created service accounts, and accounts that have been re-enabled after compromise - only if they are using the non- supported email clients. You can learn more about this setting here: https://kb.wisc.edu/95580.
Solution:
Switch to a Microsoft supported client that uses more secure email protocols. A list can be found here: Microsoft 365 - Which clients/protocols will be supported?
After a protocol is re-enabled, wait the amount of time specified by the Wisc Email Admin site for the change to take effect. To restore full functionality, it is often helpful to remove and re-add the email profile from the selected client.
Attempting to Log In to Outlook Online Gives the error: 'Something went wrong'
Problem:
When attempting to log in to Outlook Online at email.wisc.edu, you get the following error:
Cause:
When UW-Madison's Office of Cyber Security disables an account, Outlook Online login is temporarily disabled to prevent malicious activity. After the NetID is enabled, it can take up to 24 hours to restore full login ability on the Outlook side.
Solution:
Full login ability can take up to 24 hours to restore. If it has been over 24 hours since you had your account enabled by the Help Desk and you are still experiencing issues, try clearing your browser's cache and cookies (instructions: Clearing Browser Cache and Cookies), and restart your browser. If you continue to experience issues, contact the DoIT Help Desk: Get Help from DoIT.
You Get Email Undeliverable Replies: "A custom mail flow rule created by an admin at uwprod.onmicrosoft.com ..."
Problem:
When attempting to send outbound emails, you receive the following error when they attempt to send an email message: A custom mail flow rule created by an admin at uwprod.onmicrosoft.com has blocked your message blocked due to abuse
The email will look like this:
Cause:
There are rare times when an account has been re-enabled (after being compromised) but is not properly removed from Microsoft's block transport rule. When this occurs, you will not be able to send any messages and will receive the error listed above.
Solution:
Contact the DoIT Help Desk and mention the above error. See: Get Help from DoIT
Escalate the case to "M365 Technical/Functional" queue so that they can remove them from this blocked transport rule manually. Be sure to include a non-wisc.edu email in the Alt Contact sectionYou get Email Undeliverable Replied to Emails You are Sending
Problem:
When you attempt to send an email message, you quickly get a response from 'Microsoft Outlook', 'Postmaster', or 'Delivery Notice' saying a message could not be delivered.
Causes and Solutions:
The cause of the problem depends on the error you are getting. Most Messages will be under the 450 4.5.3 SMTP error code. Read the undeliverable message and try to find the following:
-
Error: 'Excessive email sent external this hour' or 'Excessive email sent today.' including the error responses "Excessive email sent external this hour - Please contact support for better mass email alternatives - 1,000 limit per hour", "Excessive email sent this hour - Please contact support for better mass email alternatives - 40,000 limit per hour", or "Excessive email sent today - Please contact support for better mass email alternatives - 50,000 limit per day"
Cause: When the account was compromised, the account sent more spam emails to others than the maximum daily limit of emails from the compromised account.
Solution: You will need to wait up to 24 hours for email counter to reset.
-
Error: 'Excessive email sent today' including the error responses "The delivery has failed to these recipients or groups: your message couldn't be delivered, your email address is suspected of sending spam and can't send outside of your organization. Please contact your email admin.", or "The message couldn't be delivered because you weren't recognized as a valid sender. The most common reasons for this is that your email address is expected of sending spam and its no longer able to send messages outside of your organization. Contact your email admin for assistance."
Cause: Sending emails outside of wisc.edu is blocked by Microsoft when an account is flagged for phishing. The Help Desk tool that re-enables accounts should remove this block but can fail on specific occasions.
Solution: Typically this error will go away within 24 hours after the account is re-enabled as the change matriculates through the email system. If this issue is still occurring and 24 hours has passed since the account was re-enabled, contact the DoIT Help Desk and request that your email be unblocked
Follow the instructions for unblocking an account blocked by Microsoft. See: [Link for document 66703 is unavailable at this time]
Getting other undeliverable errors errors? See: Microsoft 365 / WiscMail / WiscMail Plus - Understanding SMTP errors
DO NOT escalate incidents regarding mail delivery issues until 24 hours have passed since the account was re-enabledLots of Emails from 'Postmaster' or 'Microsoft Outlook'
Problem:
In the email inbox, there are lots of emails from either 'Postmaster' or 'Microsoft Outlook'
Cause:
When the account was compromised, the email account was sending large amounts of spam emails to other UW Madison students and faculty. Some of the messages resulted in an undeliverable reply because the account either reached the max email send limit for the day or sent to an invalid email address.
Solution:
Delete the messages. There is not a way to select all and delete, but you can check multiple emails on a page and press Delete.
An Account is Disabled Shortly After it was Re-enabled
Problem:
After an account was re-enabled, it is disabled again shortly after.
Cause:
When setting a new password during the recovery procedure, the new password that was set was either too similar to the old password or too weak.
Example: The old password that was compromised was Bucky1, and the new one was set to be Bucky2.
Solution:
During the next account recovery, set a stronger password and make it completely different than the old one.