This document will provide a list of common errors (and their solutions) that you may experience after re-enabling your account that was disabled by UW-Madison's Office of Cyber Security.
If UW-Madison's Office of Cyber Security determines a NetID account has been compromised, the Office of Cyber Security proactively disables the account. This is done to prevent further damage to a user's personal information as well as stop a phishing message from spreading to other user's email inboxes, putting them at risk.
The best way to avoid account complications is to follow good personal security measures and always be skeptical of emails soliciting login information. You can learn more about phishing here: Office 365 - Learn about junk email and phishing.
More on how UW-Madison users can recover their account after it was disabled because they replied to a phishing email can be found here: Phishing Detection and Remediation.
Some of the measures taken by UW-Madison's Office of Cyber Security to ensure user protection can cause temporary errors with NetID and Office 365 email login as well as email delivery. Additionally, users may sometimes experience issues related to account changes made while the account was compromised but before UW-Madison disabled the account. The following errors are the most common errors the Help Desk has seen following a user reactivating their NetID and their solutions.
Since being able to log into the account again, you have noticed that no new emails have arrived in the inbox, even if you send test emails to yourself.
Some sophisticated phishing attacks automatically add an inbox rule to your Office 365 inbox, so they can send large amounts of spam emails from your email account without you receiving any bounce back emails, emails from the Office 365 "Postmaster", or emails from others replying to the spam emails alerting you that your account has been compromised.
Note: If you are unable to recover deleted messages using that step, there are no further steps you can take. UW Madison does not keep backups of Office 365 email messages.
After the time the account was disabled, an email client (usually a non-Outlook client) stops work, or does not function correctly.
When UW-Madison's Office of Cyber Security disables an account, it also disables 3 email client protocols used by older email clients (UW SMTP Auth, IMAP, and POP) for the Office 365 account. This is done, as the majority of legitimate users do not use IMAP or POP protocols to access their Office 365 mailbox. Disabling IMAP, POP, and SMTP Auth will help minimize future risk for the user whose credentials have been compromised by leveraging the principle of least privilege. By disabling unused protocols, the risk of a bad actor harvesting mail or compromising the account again will be diminished. UW's SMTP Auth service is commonly abused by bad actors to validate stolen NetID credentials and send spam email. This service is sparsely used by our users. The most typical use case for the service is for people who need to send email as an email address on their account that is not specified as the primary email address.
Switch to a Microsoft supported client that uses more secure email protocols. A list can be found here: Office 365 - Which clients/protocols will be supported?
On rare occasions, there is a specific need for one of the three protocols (UW SMTP Auth, IMAP, and POP). In this case, the specific protocol desired can be enabled by following the Enable/Disable Protocol instructions at Office 365 - Which clients/protocols will be supported?. It is important to emphasize that a protocol should only be enabled if there is an intent to actively use the protocol. By limiting the protocols that are capable of accessing an account, a mailbox has a reduced risk of undesired access.
After a protocol is re-enabled, wait the amount of time specified by the Wisc Email Admin site for the change to take effect. To restore full functionality, it is often helpful to remove and re-add the email profile from the selected client.
When attempting to log in to Outlook Online at email.wisc.edu, you get the following error:
When UW-Madison's Office of Cyber Security disables an account, Outlook Online login is temporarily disabled to prevent malicious activity. After the NetID is enabled, it can take up to 24 hours to restore full login ability on the Outlook side.
Full login ability can take up to 24 hours to restore. If it has been over 24 hours since you had your account enabled by the Help Desk and you are still experiencing issues, try clearing your browser's cache and cookies (instructions: Clearing Browser Cache and Cookies), and restart your browser. If you continue to experience issues, contact the DoIT Help Desk: Get Help from DoIT.
When attempting to send outbound emails, you receive the following error when they attempt to send an email message: A custom mail flow rule created by an admin at uwprod.onmicrosoft.com has blocked your message blocked due to abuse
The email will look like this:
There are rare times when an account has been re-enabled (after being compromised) but is not properly removed from Microsoft's block transport rule. When this occurs, you will not be able to send any messages and will receive the error listed above.
Contact the DoIT Help Desk and mention the above error. See: Get Help from DoIT
When you attempt to send an email message, you quickly get a response from 'Microsoft Outlook', 'Postmaster', or 'Delivery Notice' saying a message could not be delivered.
The cause of the problem depends on the error you are getting. Most Messages will be under the 450 4.5.3 SMTP error code. Read the undeliverable message and try to find the following:
Error: 'Excessive email sent external this hour' or 'Excessive email sent today.' including the error responses "Excessive email sent external this hour - Please contact support for better mass email alternatives - 1,000 limit per hour", "Excessive email sent this hour - Please contact support for better mass email alternatives - 40,000 limit per hour", or "Excessive email sent today - Please contact support for better mass email alternatives - 50,000 limit per day"
Cause: When the account was compromised, the account sent more spam emails to others than the maximum daily limit of emails from the compromised account.
Solution: You will need to wait up to 24 hours for email counter to reset.
Error: 'Excessive email sent today' including the error responses "The delivery has failed to these recipients or groups: your message couldn't be delivered, your email address is suspected of sending spam and can't send outside of your organization. Please contact your email admin.", or "The message couldn't be delivered because you weren't recognized as a valid sender. The most common reasons for this is that your email address is expected of sending spam and its no longer able to send messages outside of your organization. Contact your email admin for assistance."
Cause: Sending emails outside of wisc.edu is blocked by Microsoft when an account is flagged for phishing. The Help Desk tool that re-enables accounts should remove this block but can fail on specific occasions.
Solution: Typically this error will go away within 24 hours after the account is re-enabled as the change matriculates through the email system. If this issue is still occurring and 24 hours has passed since the account was re-enabled, contact the DoIT Help Desk and request that your email be unblocked
Getting other undeliverable errors errors? See: Office 365 / WiscMail / WiscMail Plus - Understanding SMTP errors
In the email inbox, there are lots of emails from either 'Postmaster' or 'Microsoft Outlook'
When the account was compromised, the email account was sending large amounts of spam emails to other UW Madison students and faculty. Some of the messages resulted in an undeliverable reply because the account either reached the max email send limit for the day or sent to an invalid email address.
Delete the messages. There is not a way to select all and delete, but you can check multiple emails on a page and press Delete.
After an account was re-enabled, it is disabled again shortly after.
When setting a new password during the recovery procedure, the new password that was set was either too similar to the old password or too week.
Example: The old password that was compromised was Bucky1, and the new one was set to be Bucky2.
During the next account recovery, set a stronger password and make it completely different than the old one.