Office 365 / Exchange Hybrid Security Issue

I have recently determined a major security issue related to deleted mailboxes in an Office 365 Hybrid environment. Our former decommission process for accounts was to allow Office 365 to delete the mailboxes of “Former” users no longer at the company.  We simply move the AD account to an OU that is not currently being synced with Office 365 with the Azure AD connect program.  This marks the mailbox and account for deletion within Office 365.

In the past I noticed that the On-Premise Exchange servers still showed these users had “Office 365” as their Mailbox Type.


I also have not configured Azure AD connect for any writeback functionality.

With some recent AD account compromises, I have noticed that these accounts were somehow sending Spam email to outbound email addresses. How could this happen? This mailbox had been deleted by Office 365, there is no way that you can send mail without an actual mailbox, right? Wrong! If you look at your On-Premise receive connectors’ security settings, you will see the following: Permission Groups -> Exchange users


This means that the On-Premise Exchange Servers allows these accounts that have been removed from Office 365 to connect and send email!! Even though they technically don’t have a mailbox on-premise or in Office 365. So it is now imperative to disable the remote mailboxes on your On-premise exchange servers. I fortunately have these AD accounts in a particular OU within AD, so I could execute the following command to immediately disable all of these mailboxes.

Get-RemoteMailbox -ResultSize Unlimited -OnPremisesOrganizationalUnit “OU=someOU,OU=anotherOU,DC=contoso,DC=com” | Disable-RemoteMailbox

I hope this helps anyone before it becomes an issue within your organization. Cheers!

About Parker Jardine

Manager of Systems Administration in the Information Technology Higher Education space. I enjoy biking, climbing, hockey, camping, mountaineering, hunting, paragliding, and just being outdoors. You can read my Make Magazine project articles about a diy solar panel and solar systems design in volumes 12 and 14.
This entry was posted in Exchange 2013, Office 365. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s