Forum Discussion

kdrew098's avatar
kdrew098
Copper Contributor
Dec 17, 2021

Weird forwarding activity

We have a weird problem.  It was reported that our client's email is acting strange.  There are two companies involved that are actually connected but have separate Exchange accounts.  Suddenly, if someone sends an email from anyone from any contoso1.com address to Email address removed the email is immediately redirected to the CEO: Email address removed (it's the CEO's named account.) 

 

After checking all accounts for forwarding rules (including on the admin level) and finding nothing, we tried sending from a contoso1.com account (online) to Email address removed we were shocked to see that although we typed Email address removed in the SEND box, it immediately showed up in the SENT folder as having been sent to Email address removed!  There is no indication in the SENT mail message of the address we typed, only the CEO's address!  

 

Anyone have a clue?

 

Thanks for any help!

    • kdrew098's avatar
      kdrew098
      Copper Contributor

      VasilMichev Thank you for your help.  We created an test message aimed at the target at Email address removed and got the usual result of the message being redirected on our contoso2.com Exchange server.  We traced it and got the following result: (the company name is changed of course) 

       

      Message sent to contoso2-com.mail.protection.outlook.com at 104.47.57.110 using TLS1.2 with AES256

       

      This was followed by a response saying it had been submitted

       

      Finally a third response saying:

       

      Message received by: DM6PR05MB5244.namprd05.prod.outlook.com

       

      And of course, the email message is listed in the sender at contoso1.com as having been sent to the owner of contoso2.com and not the ap address.

       

      This seems to be happening on the senders side of this communication but I don't undestand why.

Resources