Exchange 2015 Message logging


I have a Server 2012 with Exchange 2015 installed.

We have a user who has left the company but we suspect has hacked a users email account remotely using a mobile phone.

The old user has entered all the details to use exchange on a mobile device but entered an old colleagues user name and password. He has then sent out emails as if from the still employed user.

This came to light as the user saw an email appear in his sent items and then suddenly disappear. He then went to his deleted items and it was in there. So before it disappeared he moved it into a sub folder.

I have run message tracking log and I can see emails sent from the employed user to the ex employee's private email address.

However, as it is from the current users account and the current user also uses a mobile device it looks legitimate.

Is there any way of seeing the source of the email, ie show it at least came from a mobile and not the office PC and finally is there anyway to see which mobile is was sent using.


Optima SystemsNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I don't know if you can check the source device of the email because if you look at the email header it will show your external IP address the Exchange server is in as the source.  You can go to OWA and look under mobile devices and see if the ex employee's phone is listed there or if there are more than one phone number listed.

If yes then you can send a remote wipe command to delete your company's data (careful, may get into ligitation).  Before you do, take a screenshot because now you have proof of a criminal offense took place and you can take it to the authority.  Better yet, call the authority to come in and show them what you see as proof.  Now you can press charges because I think it's a federal offense to hack.

After changing the password of the account then you would want to change the account password and restart the Exchange server/server to void the session's token so that his phone cannot resync with ActiveSync.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amit KumarCommented:
Agree with Wayne, but do one more thing, Change e-mail address and login ID of user as well. so it will help you to protect that account as well.

To keep previous e-mail address just create a transport rule or create a dump user with disabling ActiveSync and other features then set forwarding of that mailbox to new changed e-mail address, so if anyone is sending e-mail to old e-mail address then mail will not be dropped.
Optima SystemsNetwork EngineerAuthor Commented:

That's worked I have 2 mobile devices listed and I have 1 x iPad so I can now check against the employed user.

Also as regards the message tracking log is there a way of seeing the content of the emails sent. I have the subject header but no more.

The logging is set using the default settings so if it is not available by default I will not have switched on additional logging.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Amit KumarCommented:
You can see only subject header in Message tracking.
Optima SystemsNetwork EngineerAuthor Commented:
By looking at the current users account I saw 3 mobile devices associated with the account. We accounted for 2 of the devices but not the 3rd.

The ex employees account was still available so I looked at the mobile devices associated with it and the serial numbers matched.

Got him!!!!

Many thanks.
Glad you got him.  Now he can be held liable of any damages (if any).  Cheers!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.