Forum Discussion
Advance Message Trace, Device Email Client
I have an Office 365 user who has somehow sent 500+ emails with a onedrive link to some shady stuff. Of course, he hasn't done this, but something has. 1. something has sent 500+ emails with sha...
VasilMichev I'm not sure what you mean here. I see an IP: 52.232.123.80 for almost all messages, but this IP is a Microsoft IP, not the device that sent the message IP.
This might simply mean that OWA was used as the client. But it can also mean that something like a Flow interacted with the mailbox, etc. Hard to guess without being able to see what little info is in the message trace. Check the audit logs for the delete events, you might be able to see client info there.
VasilMichev An inbox rule was responsible for the deletions, so that wouldn't belong to a user client. Is there no way to confirm that OWA was used as the client?
- If you have not already, follow the instructions here:
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account
