Forum Discussion
Advance Message Trace, Device Email Client
I'm afraid the message trace logs wont be of much help here, as they don't contain information about the client. You should be able to get the IP however. The event logs in the SCC do have the client information, but those are not generated for owner sent messages, so you might not even see the entries there. Records are generated for any delete events though, so you should be able to see those.
VasilMichev I'm not sure what you mean here. I see an IP: 52.232.123.80 for almost all messages, but this IP is a Microsoft IP, not the device that sent the message IP.
This might simply mean that OWA was used as the client. But it can also mean that something like a Flow interacted with the mailbox, etc. Hard to guess without being able to see what little info is in the message trace. Check the audit logs for the delete events, you might be able to see client info there.
VasilMichev An inbox rule was responsible for the deletions, so that wouldn't belong to a user client. Is there no way to confirm that OWA was used as the client?
- If you have not already, follow the instructions here:
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account
