I have a Server 2012 with Exchange 2015 installed.
We have a user who has left the company but we suspect has hacked a users email account remotely using a mobile phone.
The old user has entered all the details to use exchange on a mobile device but entered an old colleagues user name and password. He has then sent out emails as if from the still employed user.
This came to light as the user saw an email appear in his sent items and then suddenly disappear. He then went to his deleted items and it was in there. So before it disappeared he moved it into a sub folder.
I have run message tracking log and I can see emails sent from the employed user to the ex employee's private email address.
However, as it is from the current users account and the current user also uses a mobile device it looks legitimate.
Is there any way of seeing the source of the email, ie show it at least came from a mobile and not the office PC and finally is there anyway to see which mobile is was sent using.