Investigating someone accessing an email account on a server that should not have through OWA.
We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.
The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:
Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:
Does anyone have any ideas?