G DATA 365 | Mail Protection

Why do I have to create a connector and a rule in Microsoft Exchange Online?

How attackers perform the bypass of cloud-based third-party security solutions

Once a domain has been added to your Microsoft Exchange Online and verified, each tenant will be assigned a default domain by Microsoft. Attackers know that the normal MX records for the onmicrosoft.com domains are usually "companyname.onmicrosoft.com".

Attackers can use the results of MX queries on "companyname.onmicrosoft.com" to populate entire databases, whose e-mails are hosted on Microsoft 365 and who has routed their MX record to third-party security software.

Based on this knowledge, e-mails can then be sent directly to Microsoft Exchange Online, which Microsoft would then accept. This allows such a gateway solution to be bypassed.

The use of connectors and rules secures the Microsoft Exchange Online against these bypasses and can save you having to change the MX record.

Changing the MX record to a gateway is not sufficient, as shown in the chapter "How attackers perform the bypass of cloud-based third-party security solutions".

In addition, Microsoft’s simplified DNS setup for Microsoft Exchange Online cannot be used for individual DNS routing. For experienced users who manage their DNS themselves, an additional change to the MX entry is possible without any problems; for less experienced users, it can cause complicated additional work. Further information on this topic can be found in the article Set MX record of your domain to G DATA 365 | Mail Protection.

The inbound connector

It is necessary to create a special inbound connector to ensure smooth mail traffic. As Microsoft uses the greylisting procedure and the G DATA 365 | Mail Protection uses different sender Ips, there may otherwise be unnecessary delays when receiving mail.


To ensure that G DATA 365 | Mail Protection cannot be bypassed and no reception problems occur due to greylisting, it is essential to create the partner connectors (inbound and outbound) and a rule.

Enter all domains that are to be monitored by the G DATA 365 | Mail Protection. The result is that all e-mails from the domains that have been entered in the rule, and which arrive from outside, are forwarded to G DATA 365 | Mail Protection first. Microsoft Exchange Online only accepts e-mails that have been checked by G DATA 365 | Mail Protection.

If a few points are observed, it is no longer necessary to change the MX entry, but this can be done on request.