Exchange 2015 Message logging

Hi

I have a Server 2012 with Exchange 2015 installed.

We have a user who has left the company but we suspect has hacked a users email account remotely using a mobile phone.

The old user has entered all the details to use exchange on a mobile device but entered an old colleagues user name and password. He has then sent out emails as if from the still employed user.

This came to light as the user saw an email appear in his sent items and then suddenly disappear. He then went to his deleted items and it was in there. So before it disappeared he moved it into a sub folder.

I have run message tracking log and I can see emails sent from the employed user to the ex employee's private email address.

However, as it is from the current users account and the current user also uses a mobile device it looks legitimate.

Is there any way of seeing the source of the email, ie show it at least came from a mobile and not the office PC and finally is there anyway to see which mobile is was sent using.

Thanks

Jay
LVL 1
Optima SystemsNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
I don't know if you can check the source device of the email because if you look at the email header it will show your external IP address the Exchange server is in as the source.  You can go to OWA and look under mobile devices and see if the ex employee's phone is listed there or if there are more than one phone number listed.

If yes then you can send a remote wipe command to delete your company's data (careful, may get into ligitation).  Before you do, take a screenshot because now you have proof of a criminal offense took place and you can take it to the authority.  Better yet, call the authority to come in and show them what you see as proof.  Now you can press charges because I think it's a federal offense to hack.

After changing the password of the account then you would want to change the account password and restart the Exchange server/server to void the session's token so that his phone cannot resync with ActiveSync.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amit KumarCommented:
Agree with Wayne, but do one more thing, Change e-mail address and login ID of user as well. so it will help you to protect that account as well.

To keep previous e-mail address just create a transport rule or create a dump user with disabling ActiveSync and other features then set forwarding of that mailbox to new changed e-mail address, so if anyone is sending e-mail to old e-mail address then mail will not be dropped.
0
Optima SystemsNetwork EngineerAuthor Commented:
Hi

That's worked I have 2 mobile devices listed and I have 1 x iPad so I can now check against the employed user.

Also as regards the message tracking log is there a way of seeing the content of the emails sent. I have the subject header but no more.

The logging is set using the default settings so if it is not available by default I will not have switched on additional logging.

Thanks
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Amit KumarCommented:
You can see only subject header in Message tracking.
0
Optima SystemsNetwork EngineerAuthor Commented:
By looking at the current users account I saw 3 mobile devices associated with the account. We accounted for 2 of the devices but not the 3rd.

The ex employees account was still available so I looked at the mobile devices associated with it and the serial numbers matched.

Got him!!!!

Many thanks.
0
Wayne88Commented:
Glad you got him.  Now he can be held liable of any damages (if any).  Cheers!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.