Microsoft rolls out protection against Office 365 email storms

Microsoft is rolling out protection against Office 365 Reply-All email storms, an issue impacting Exchange Online users who are members of large and improperly locked down mail distribution lists.

Reply-All storms (also known as reply-allpocalypses) are huge chain reaction sequences of emails that start when a member of a large organization's email distribution list send a reply to all its members using the "Reply All" feature, in some cases effectively pinging the inboxes of thousands of people with a single mouse click.

A likely outcome of such an email storm is an inadvertent Distributed Denial of Service (DDoS) attack that would potentially take down one or all of the email servers that were used to deliver the tremendous amounts of replies exchanged.

Things get even more problematic when others use the "Reply All" feature, with tens if not hundreds of thousands of "email bombs" being delivered to all mailing list members for hours on end.

New email storm protection blocks new replies

"When a Reply-All mail storm happens in your organization it can disrupt business continuity and even cause unexpected throttling of your organization's mail flow within Office 365," Microsoft explained last year when it announced the future roll-out of the Reply-All Storm Protection in Exchange Online.

"When the feature detects a likely reply all storm taking place on a large DL it will block subsequent attempts to reply all to the thread and will return an NDR to the sender," the Microsoft Exchange team now announced. "The reply all block will remain in place for several hours."

The Reply All Storm Protection feature will send the bounce message — also known as a Non-Delivery Receipt (NDR) — to everyone in an "email storm" thread if it detects 10 'reply all'-s sent to over 5000 recipients within a period of 60 minutes.

Future attempts to send additional replies to the email thread will also be blocked automatically during a 4-hours long cool-down phase.

"The temporary block will be active for several hours, usually enough time to dampen end-user enthusiasm to reply to the thread, and thus curtail the storm before it gets started or before it gains much momentum," Microsoft explained.

Users will be told that their reply was not delivered and that they are required to stop using the Reply All feature and send it to a smaller number of recipients instead of the entire email list.

Storm threads block email comm channels

This new feature supplements other Exchange Online features already available and designed to help prevent Reply-All storms (i.e., Distribution List (DL) allowed sender lists and recipient limits) and to reduce their severity and impact.

"Over time, as we gather usage telemetry and customer feedback, we expect to tweak, fine-tune, and enhance the Reply All Storm Protection feature to make it even more valuable to a broader range of Office 365 customers," Microsoft added.

During January 2019, Microsoft employees fell victim to a reply-allpocalypse, with over 11,500 of them being caught up in a gigantic reply-all email thread.

Governments have also gotten their own share of reply-all chaos as shown by a holiday event invitation sent to a mailing list of roughly 25,000 Utah state employees (almost the entire state's workforce).

Comments are closed.