Investigating Excel-Initiated Email Activity Without Sent Items Trace

Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook.

**What I know:**

**Email Characteristics:**
- All three emails contained a Word attachment.
- No body text was present.
- The subject line matched the attachment file name.
- Two of the emails were identical.

**Recipients:**
- Emails were sent to colleagues who originally created the attached documents.

**Attachment Details:**
- One attachment appeared to be a temporary file (e.g., a3e6....).

**System Behavior:**
- No suspicious logins detected before or after the event.
- Emails were sent via the Outlook.exe process on the user’s machine.
- Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs.

**In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails):**
- Downloaded file: `2057_5_0_word_httpsshredder-eu.osi.office.net_main.html`
  - Path: `C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html`
- Downloaded file: `~$rmalEmail.dotm`
  - Path: `C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm`

I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.