Exchange 2015 Message logging
Hi
I have a Server 2012 with Exchange 2015 installed.
We have a user who has left the company but we suspect has hacked a users email account remotely using a mobile phone.
The old user has entered all the details to use exchange on a mobile device but entered an old colleagues user name and password. He has then sent out emails as if from the still employed user.
This came to light as the user saw an email appear in his sent items and then suddenly disappear. He then went to his deleted items and it was in there. So before it disappeared he moved it into a sub folder.
I have run message tracking log and I can see emails sent from the employed user to the ex employee's private email address.
However, as it is from the current users account and the current user also uses a mobile device it looks legitimate.
Is there any way of seeing the source of the email, ie show it at least came from a mobile and not the office PC and finally is there anyway to see which mobile is was sent using.
Thanks
Jay
I have a Server 2012 with Exchange 2015 installed.
We have a user who has left the company but we suspect has hacked a users email account remotely using a mobile phone.
The old user has entered all the details to use exchange on a mobile device but entered an old colleagues user name and password. He has then sent out emails as if from the still employed user.
This came to light as the user saw an email appear in his sent items and then suddenly disappear. He then went to his deleted items and it was in there. So before it disappeared he moved it into a sub folder.
I have run message tracking log and I can see emails sent from the employed user to the ex employee's private email address.
However, as it is from the current users account and the current user also uses a mobile device it looks legitimate.
Is there any way of seeing the source of the email, ie show it at least came from a mobile and not the office PC and finally is there anyway to see which mobile is was sent using.
Thanks
Jay
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
That's worked I have 2 mobile devices listed and I have 1 x iPad so I can now check against the employed user.
Also as regards the message tracking log is there a way of seeing the content of the emails sent. I have the subject header but no more.
The logging is set using the default settings so if it is not available by default I will not have switched on additional logging.
Thanks
That's worked I have 2 mobile devices listed and I have 1 x iPad so I can now check against the employed user.
Also as regards the message tracking log is there a way of seeing the content of the emails sent. I have the subject header but no more.
The logging is set using the default settings so if it is not available by default I will not have switched on additional logging.
Thanks
You can see only subject header in Message tracking.
ASKER
By looking at the current users account I saw 3 mobile devices associated with the account. We accounted for 2 of the devices but not the 3rd.
The ex employees account was still available so I looked at the mobile devices associated with it and the serial numbers matched.
Got him!!!!
Many thanks.
The ex employees account was still available so I looked at the mobile devices associated with it and the serial numbers matched.
Got him!!!!
Many thanks.
Glad you got him. Now he can be held liable of any damages (if any). Cheers!
To keep previous e-mail address just create a transport rule or create a dump user with disabling ActiveSync and other features then set forwarding of that mailbox to new changed e-mail address, so if anyone is sending e-mail to old e-mail address then mail will not be dropped.