I have recently determined a major security issue related to deleted mailboxes in an Office 365 Hybrid environment. Our former decommission process for accounts was to allow Office 365 to delete the mailboxes of “Former” users no longer at the company. We simply move the AD account to an OU that is not currently being synced with Office 365 with the Azure AD connect program. This marks the mailbox and account for deletion within Office 365.
In the past I noticed that the On-Premise Exchange servers still showed these users had “Office 365” as their Mailbox Type.
I also have not configured Azure AD connect for any writeback functionality.
With some recent AD account compromises, I have noticed that these accounts were somehow sending Spam email to outbound email addresses. How could this happen? This mailbox had been deleted by Office 365, there is no way that you can send mail without an actual mailbox, right? Wrong! If you look at your On-Premise receive connectors’ security settings, you will see the following: Permission Groups -> Exchange users
This means that the On-Premise Exchange Servers allows these accounts that have been removed from Office 365 to connect and send email!! Even though they technically don’t have a mailbox on-premise or in Office 365. So it is now imperative to disable the remote mailboxes on your On-premise exchange servers. I fortunately have these AD accounts in a particular OU within AD, so I could execute the following command to immediately disable all of these mailboxes.
Get-RemoteMailbox -ResultSize Unlimited -OnPremisesOrganizationalUnit “OU=someOU,OU=anotherOU,DC=contoso,DC=com” | Disable-RemoteMailbox
I hope this helps anyone before it becomes an issue within your organization. Cheers!